ICO Annual Report 2009

Information Commissioner's Office

Annual Report 2008/09

Our vision

The ICO's vision is a society where information rights and responsibilities are respected

by all.

Organisations inspire trust by collecting and using personal information responsibly, securely and fairly;

people understand how their personal information is used, are aware of their rights and are confident in using them;

public authorities are open and transparent, providing people with access to official information as a matter of course;

and

people are aware of their rights of access to official information and are confident in using them.

Annual Report 2008/09

Presented by the Information Commissioner to Parliament pursuant to section 52(1) of the Data Protection Act (1998) section 49(1) of the Freedom

of Information Act (2000) and schedule 5 paragraph 10(2) of the Data Protection Act (1998).

Ordered by the House of Commons to be printed 6 July 2009

HC619 London: The Stationery Office Price : £19.15

Your information rights

The Freedom of Information Act (2000) gives people a general right of access to information held by most public authorities. Aimed at promoting a culture of openness and accountability across the public sector, it enables a better understanding of how public authorities carry out their duties, why they make the decisions they do and how they spend public money.

The Environmental Information Regulations (2004) provide an additional means of access for people who want environmental information. The regulations cover more organisations than the Freedom of Information Act, including some private sector bodies, and have fewer exceptions.

The Data Protection Act (1998) gives citizens important rights including the right to know what information is held about them and the right to correct information that is wrong. The Data Protection Act helps to protect the interests of individuals by obliging organisations to manage the personal information they hold in an appropriate way.

The Privacy and Electronic Communications Regulations (2003) support the Data Protection Act by regulating the use of electronic communications for the purpose of unsolicited marketing to individuals and organisations.

© Crown Copyright 2009

The text in this document (excluding the Royal Arms and other departmental or agency logos) may be reproduced free of charge in any format or medium providing it is reproduced accurately and not used in a misleading context. The material must be acknowledged as Crown copyright and the title of the document specified. Where we have identified any third party copyright material you will need to obtain permission from the copyright holders concerned. For any other use of this material please write to Office of Public Sector Information, Information Policy Team, Kew, Richmond, Surrey TW9 4DU or email: licensing@opsi.gov.uk

Contents

1. Information Commissioner's foreword 7
2. Year at a glance 15
3. Educating and influencing 19
4. Resolving problems 29
5. Enforcing 41
6. Developing and improving 47
7. Governance 51
8. Information requests to the ICO 53
9. Financial statements 55

Commissioner's foreword

1. Information Commissioner's foreword

Are we making a difference? As I complete my second term of office, I want to

highlight four key changes – cutting

across freedom of information and data protection – which have come about during my time as Commissioner:

• transparency is now seen as central to healthy democracy and citizen welfare;

• accountability has become a key driver of public policy;

• our work impacts directly on the relationship between state and citizen;

and

• access to official information and protecting personal information have moved centre stage.

Transparency

Transparency and openness have become part of the standard political vocabulary. The public's right to know has become a success story. Wider debates are underway about democratic renewal, public engagement and constitutional reform. Freedom of information, a somewhat fragile flower for most of its lifetime with few vocal friends in Westminster and Whitehall, is now a permanent fixture and a core part of the fabric of public life. The talk now is of extending the legislation.

The recent uproar over MPs' expenses has of course brought

much immediacy to these debates. The implications of that controversy continue to reverberate with unpredictable consequences. Our decision requiring disclosure – which was extended to greater detail by the tribunal following the appeal launched by the House of Commons – played its part, though newspaper revelations ignited the firestorm.

Commissioner's foreword

This is, however, part of a much wider agenda of social change. People are better-educated than ever and no longer expect to be kept in the dark. There is suspicion of secrecy and cover-up. Modern communications mean that the public expect instant access to what is going on. The Freedom of Information Act has created a legal presumption that information held by public bodies should be available as a right. There has been a strong appetite to use the law – with an estimated half a million requests since it went live in

January 2005.

I believe, too, that the Information Commissioner's Office (ICO) has made a difference. We have handled more than 11,500 freedom of information complaints, and issued over 1,225 reasoned decision notices. Our approach as the independent adjudicator has been fair, robust and responsible – deciding each case in accordance with the law, regardless of whether that results in uncomfortable disclosure for a public body or frustration for the unsuccessful complainant. The sheer variety of subject matter has been challenging, with many controversial and complex cases requiring our caseworkers to have instant knowledge on unfamiliar topics. Large numbers of the cases we

rule on involve everyday issues that matter to people, such as planning applications, speed cameras and parking offences. Stepping back in time, we have dealt with the 1911 census, the sinking of the Belgrano

in 1982 and the Budget of 1997. We have resolved international cases, such as those involving arms sales to the Middle East and the development of the Sakhalin gas field. Domestically, cases have covered animal experiments, MMR vaccine and abortion statistics. In the world of finance we have also considered hedge funds, airline contracts and government subsidies.

In all cases, transparency has driven the demand for information and provided the rationale where disclosure has been ordered. The same is true of the guidance that we provide to public bodies and the growing amount of enforcement work where systemic problems or unacceptable practices surface. The surprise is

no longer the nature and extent of disclosure. What is astonishing is how much was previously treated as secret.

Less obviously - but equally important

– transparency lies at the heart of

good data protection practice. This

is much more than the vital rights to access your own personal data and to ensure mistakes are corrected. Privacy has become a reputational issue

for both commercial and public organisations - fuelled by the availability and integrity of information. Transparency lies at the heart of Privacy Impact Assessments –

an ICO initiative now mandatory

for government schemes - which demonstrate how the risks of handling information can be identified, minimised and safeguarded. Privacy policies set out organisational approaches and Privacy Notices – where our new code calls for user- friendly clarity - explain to the public how their data will be used and the choices available to them. Greater understanding of how your personal details are being used and stored leads to greater trust in an organisation. Our Information Sharing Code will soon be transformed into a statutory code. The ICO's Personal Information Promise invites those leaders committed to proper information safeguards within their organisations to sign up and be counted.

Accountability

Inquiries and investigations into data breaches have demonstrated beyond doubt that accountability – spelt

out through sound governance arrangements - is key to handling personal information well. If there is no clarity and certainty about who

is responsible, things will go wrong. I welcome the new requirement for every government department to identify a Senior Information Risk Owner and similar initiatives in the devolved administrations. This reflects the belated recognition that reputation and regulation matter at Board or

Chief Executive level and that good information handling is now

a governance issue cutting across traditional boundaries. Data protection has become too important to be sidelined to the experts or to a single team. Senior level accountability recognises that it is important (but not sufficient) to tackle the paperwork

– the right policies, procedures, contracts and compliance programmes.

It is important (but not sufficient) to assure the technology – the right systems architecture, privacy by design and operational safeguards. It is important (but not sufficient)

to address human weaknesses –

with the right awareness and training programmes and the right management and supervision.

Commissioner's foreword

Accountability is needed for all aspects of data handling – not just ensuring appropriate security. There needs

to be clear responsibility for data minimisation – not collecting any more personal information than is needed and keeping it no longer than necessary. Data quality and data cleansing are likely to assume ever greater importance – ensuring the

right information relates to the right person, that it is accurate and that it

is kept up to date. Many organisations describe information as a valuable asset, as indeed it can be, if it is managed well. We have tried to get them to recognise that this can also quickly turn into a major liability if the risks of poor data handling materialise. Real damage to people's careers, reputations, personal relationships, private lives and bank balances can follow if things go wrong. Real damage can also hit the reputation, the prosperity and the legitimacy of

the organisations responsible. Data protection is often described as specialised risk assessment. As Sir Mark Walport and I made clear in the context of the Data Sharing Review, it needs to be taken seriously at the

heart of an organisation's integrity.

From the other direction, the Freedom of Information Act is a stark reminder that a defining feature of modern democracy is that those elected to power and their officials are accountable to the people. The public has the right to know what is done in their name and with their money. Freedom of information brings greater public understanding and less scope for impropriety, for decisions or for

activities behind closed doors which jeopardise public confidence.

The first four years have involved massive learning for everyone. Many transitional problems have been caused as public bodies have resisted disclosure of material which had been written without an expectation that it could reach the public domain.

As we move into a more mature business-as-usual phase, public sector culture must continue to shift in favour of openness being the norm. There is no need to wait for requests. These can be sporadic, burdensome and disruptive. I have frequently advocated the crown jewels' approach - public bodies need to show they recognise the imperative of accountability (and make lives easier for themselves) by identifying what absolutely has to be kept secret and then proactively publishing other official information as a matter

of routine.

The relationship between state

and citizen

Technology has become more powerful, more universal, more portable, more global, cheaper - and now offers unlimited and unforgiving memory. Controversy greeted my fear that "We are sleep-walking into a surveillance society." The report and international conference which elaborated these concerns in 2006 have led to much welcome debate and activity stretching well beyond the ICO. It must be without precedent for two heavyweight Parliamentary Committees – Commons and Lords – to review the same topic in such a close time span. I was pleased that both reports echoed our worries that too much information is collected on people without sufficient debate, restriction or safeguard. The House of Lords Constitution Committee concluded that "The expansion in the use of surveillance represents one of the most significant changes in the life of the nation since the Second World War... and continues to exert a powerful influence over the relationship between individuals

and the state."

Modern technology brings many benefits in terms of law enforcement, public protection, delivery of public service and research. But I welcome the increased awareness of the dangers that excessive, unrestrained

or unscrutinised collection and use of personal information can bring to the right to privacy and other freedoms. Benign motives do not eliminate the risks. The need for vigilance continues to influence debates over identity cards, databases of children and those in contact with them, electronic health records, criminal records, police intelligence and so on. It is especially significant that the then Home Secretary has ruled out the idea of a single government-run database of communications traffic data. The tensions between security and liberty are undoubtedly delicate, but they

are healthy and it is essential to secure a balance, with clear boundary lines, informed by full debate.

There is no irony in the dual need to limit the state's knowledge about the private lives of citizens and to increase the citizen's knowledge about the activities of the state. The principles to be adopted, and the application of those principles to each case will always be contestable, but there can be no doubt now that both are central to the state/citizen relationship. To get the balance right, I am convinced that it is right to charge a single Commissioner with data protection and freedom of information responsibilities. This goes well beyond the inevitable need to reconcile the privacy and disclosure considerations in a significant proportion of cases.

Commissioner's foreword

Centre stage

The ICO has taken a strategic approach to our multiple roles as influencer, ombudsman and policeman. We have clear priorities and a targeted approach. Data protection has previously been marginalised and

not taken seriously. Freedom of information has still not reached adolescence. Both subjects now

find themselves influencing (and sometimes setting) news and political agendas on a daily basis. Both have moved centre stage.

In the past, data protection has suffered a poor reputation. Although much was being done to tick the boxes to ensure technical compliance, the topic was generally given low priority. Worse, there was considerable media scepticism or even hostility as well as public ignorance, indifference or irritation. Data protection was widely seen as remote, unnecessarily complicated and uncertain. The

law, the more detailed rules and the available guidance were seen as overly legalistic - almost theological. Worse still, data protection was often used as a duck-out wrongly blamed for stopping people doing things and used to justify mistakes or unacceptable activities.

In 2009 the situation is very different. From left, right and centre there is support for our work. The exposure

and closure of the secret construction industry database was universally praised. The illegal trade in personal data appears to have diminished.

We have worked hard to get data protection taken more seriously.

Our Data Protection Strategy makes clear that we place most attention

on situations where there is a real likelihood of serious harm and where our intervention is most likely to make a difference. The strategy repeats that our key priority has been:

"Strengthening public confidence in data protection by taking a practical, down to earth approach - simplifying and making it easier for the majority of organisations who seek to handle personal information well, and tougher for the minority who do not."

It is not easy (and anyway too soon) to measure freedom of information achievements by reference to rationales of trust, confidence, accountability, improved decision- making or reduced impropriety. But it can be said that the impact on the general public appears to have been substantial. Our annual survey shows marked increases in public attitudes towards the benefits of access to information held by public authorities. Those agreeing that freedom of information "increases knowledge of what public authorities do" rose from 54% in 2004 to 84% in 2008. Those agreeing that it "increases confidence in public authorities" went up from 51% to 75%.

Despite the centrality of all our work, however, more is needed to ensure its benefits are understood and that

it is taken even more seriously. A step change is now needed. I have argued consistently that it is wholly unacceptable that the ICO should need the consent of a data controller to inspect its activities. I welcome legislation currently before Parliament to create the power to inspect public bodies. But this remains seriously deficient without a sanction for those who ignore the so-called requirements and without extending our powers so we can also inspect the private sector. The proposed tiered notification fees should increase our annual data protection budget to some £16 million, but this will remain tiny compared

to other regulatory bodies.

Our resources for freedom of information are considerably less.

The total annual cost of freedom of information, across the whole of the public sector, was estimated at just some £35 million in 2006/07. Of the total, we currently receive £5.5 million, and we have had no increase at all

for the current year despite a 15% increase in cases in the last year. Public finances are very tight, but – especially if the legislation is to be extended - ICO needs adequate and longer-term funding to enable us to fulfil properly all our complaint, guidance and enforcement responsibilities. Delays have been the most serious problem with freedom of information – within public authorities, within the ICO

and at the tribunal stage. We have improved our performance substantially and are meeting our targets, but the delays for most cases which require full investigation remain frustrating and disappointing. A recent article argued that the ICO is the only

public sector organisation that needs and deserves more money.

Open government and the right to know have been established. It is increasingly being recognised that open government is good government. But open government has to be properly paid for.

Endnote

The ICO has come a long way. We

can claim good progress with our aim to be recognised as a world leader for both freedom of information and data protection. Christopher Graham, the new Commissioner, will inherit a lively, committed and hard-working ICO which is proud to be making a difference. I have been privileged to serve as Commissioner for almost seven years and I am immensely grateful to all staff and Non-Executive board members. The ICO cannot and will not stand still. I am confident that the office is well-placed to rise to the challenges it will continue to face.

Richard Thomas Information Commissioner June 2009

2. Year at a glance

This report looks back over the progress made against the aims set out at the beginning of the year in the ICO's three-year Corporate Plan for 2008 to 2011.

Educating and influencing

Aim one: To promote freedom of information and open government,

to bring about a culture where public bodies make as much official and environmental information available as possible, proactively and progressively, with individuals widely aware of their right to know.

Aim two: To promote good data protection practice by organisations when handling personal information, with individuals and organisations widely aware of their rights

and obligations.

Aim three: To service the differing needs of communities.

Resolving problems

Aim one:To provide an efficient and valued customer service that deals with all information rights, complaints and enquiries.

Aim two: To provide an efficient and valued freedom of information service making decisions in disputes about access to information held by a public body in a robust, responsible and efficient way.

Aim three: To provide an efficient and valued data protection casework service.

Aim four: To run an efficient and helpful notification service.

Aim five:To increase customer satisfaction.

Enforcing

Aim one:Take purposeful risk-based enforcement action where obligations are ignored, where codes or guidance are not followed and where examples need to be set or issues clarified.

Aim two: Ensure organisations which handle personal information comply with their obligation to notify with us.

Developing and improving

Aim one:To achieve a clear, articulated and lived culture with a recognisable ICO feel that is positive, forward looking, energetic, practical, responsible and influential.

Aim two: To achieve recognisable world-class performance through motivated staff who are committed to the ICO's goals and success.

Aim three: To protect and promote the good corporate reputation of the ICO.  

Aim four: To work as effectively and efficiently as possible, making best use of our resources and gaining value for money.  

Aim five:To improve our use of information technology to encourage efficiency, to keep pace with developments in society and to meet customer expectations.  

Our highlights of 2008/09

Apr 08 Richard Thomas chairs the 'Who got caught out last year, and why?' seminar at Infosecurity

Europe event, Olympia London.

We issue new guidance on data security breach management.

Jul 08 We launch our Annual Report.

The Data Sharing Review by Richard Thomas and Mark Walport is published.

We announce that RAND Europe has been commissioned to carry out a comprehensive assessment of the strengths and weaknesses of European data protection law.

We order the BBC to disclose annual staff costs for Eastenders.

Aug 08 We rule the Nuclear Decommissioning Authority was right to withold a draft paper on radioactive waste storage methods.

We order the Health and Safety Executive to disclose the names of individuals who have died in work-related incidents.

Sep 08 At the launch of stop stupidity week, we urge organisations not to use data protection

as a duck-out.

We find Virgin Media Limited in breach of the Data Protection Act following the loss of an unencrypted CD containing the personal details of over 3,000 customers.

We run an internal 'Green Week' initiative.

We launch our Northern Ireland Regional Office Annual Report. We launch our Student Brand Ambassador programme.

Oct 08 We exhibit at the three day Chartered Institute of Personnel and Development conference in Harrogate.

We launch the 'Personal Information Healthcheck' to mark National Identity Fraud Prevention week. We attend the International Data Protection Commissioners' conference, in France and Germany. We publish our leaflet on new model publication schemes for town and community councils.

We call for a public debate on government proposals for the state to retain citizens' internet and phone records.

Nov 08 Our Communications and External Relations Department wins the Chartered Institute of Public

Relations PRide award for Outstanding in-house public relations team, North West region.

We carry out an internal bullying, harassment and discriminaton survey. We host the Data Protection Officer conference in Dundee.

We host the Privacy by Design conference in Salford.

Dec 08 We issue guidance that says vexatious freedom of information requests can be blocked.

We successfully prosecute three London law firms for non-notification under the Data Protection Act. We order Ofsted to release the names of 29,970 child care managers and their relevant place

of employment in England, following a freedom of information request.

Jan 09 We mark European Data Protection day with the 'Personal Information Promise.'

The Information Commissioner Richard Thomas gives evidence to the Justice Select Committee on the ICO's work.

New figures show a significant increase in the number of data breaches reported to the ICO. We launch 'Tick Tock' the freedom of information training DVD for public authorities.

The Information Tribunal upholds our decision on the release of cabinet minutes which discussed the 2003 invasion of Iraq.

We take enforcement action against the Home Office for a serious data breach.

Feb 09 We respond to the House of Lords Constitution Committee Surveillance Society report. We sponsor an award at the Cheshire Positive Awards for Business.

We take part in the Hampton review inspection.

Mar 09 We host the Data Protection Officer conference in Manchester.

We successfully prosecute both a London and Middlesex law firm for offences under the Data Protection Act.

Vietnamese delegation visits our head office to discuss the importance of freedom of information, proactive disclosure and our experiences.

We issue a formal freedom of information practice recommendation to the Department of Health, regarding its record management.

We seize a covert database of construction industry workers from The Consulting Association and open a new telephone service for people to check whether information about them is held on it.

We take data protection enforcement action against Camden and Islington Primary Care Trust. We prosecute an Hounslow law firm for offences under the Data Protection Act.

We issue a freedom of information practice recommendation to Greater Manchester Police regarding internal reviews.

3. Educating and influencing

Information rights

Information rights remained high on Individuals' awareness of the data protection right to the political and social agenda this see information held about them was at 86%, and year. Research commissioned by the 75% were aware of the freedom of information right ICO continues to show very high  to request information held by public authorities. levels of awareness.

Prompted awareness of the right to see information held about them

95%

90% 90%

85% 86% 80% 82%

75% 76%

74%

70%

2004 2005 2006 2007 2008

The right to see information about them Trend line

Prompted awareness of the right to request information held by the government and other public authorities

90%

85% 86%

80%

75% 73%

75% 70% 73%

65%

60%

2005 2006 2007 2008

The right to request information held by the government

and the other public authorities

Trend line

Case studies

ICO publication scheme

We sent information about the new publication scheme directly to all 730 community and town councils within Wales, explaining the changes and what they needed to do.

Training

We published a new training DVD, "Tick Tock", aimed at giving public authorities a good overview of their freedom of information obligations.

We distributed 45,000 copies with over 300 people signing up for an early order via

our e-newsletter.

Helping to bring about  Monitoring

a culture of openness IfnreMedaorcmh o2f0 in0f9o rwmeaptiuobnl imshoendit oourirng Following an extensive review of strategy. The strategy commits us to

existing publication schemes we regularly review the model scheme introduced a model publication and definition guidance and also sets scheme for all public authorities. out how we will monitor public Authorities had to adopt the scheme authorities' adherence to adoption

on 1 January 2009 working with all and operation of the scheme. "aPomcsrbohrafuuRcNtuiRTeaunonhsbihrihoankHtfcuigolinobiesifeebnhcSliuodenrefeaoaermsIrsgtonrtebafmarrspdiuaxtcudetontuaaht tehcsTndeVibeistecnetoehspeialssomuseinuocpesc,rostnlsmaypkyuh"infetuvattoabeoddaotaeiahsolimlo.vistelskiadc.cnaTha,, ntaeeiohhesismmclstpfacaeare, cubl  sslaugcooo1eibenltsetr wes3sctotlfgtniesaeoc  arraobcJ lri.raantnu aiueame"ontdiuntrcuessfda atotae thnnrhathhimt o  otigno2 tiooesowuodeerrn0 ntti i t atiyost0 niielhep,fle8 sise s.",s "NWfipbfrFT1irfinnsoeeorr6oseeeccivpBerreeblelllwdipenuuiopBueupndiaivddwedswneCufogtiicoiroacrbnneimsuolnOrplenolggdomiignassrydsnnooatnrmhmeadaohelafdcdeidtnefnloqeeivsidn,oictcnueos,sniihcfninw2eetseu,sfoeeaot.1sir9raahoelrt3mocnebeinrmsnnonpxdon, saJ efuiartauotsttwebshrthitnthrotaityeiomesenuivnlpn antegeauwaigirhgenxxrsiatgeeuecetayaienoueseim"tIdudrn2noriissdeoapnp.ffwh0qoaunodat onufsci0 rlhao muceetao9nelestdar  t,d t ion Building awareness

of individual rights and

"The Information Commissioner, organisations' obligations

We also required organisations to 'Freedom of Information complaints produce a guide to the information from "Mickey Mouse" or "Mrs Sue D which they hold and we expect these Nym" will not be accepted by the

to enable the information to be easily Information Commissioners, new identified and accessed by the general guidance says.''

public.

To help public authorities develop their

guide to information, we produced a

series of definition documents that set

out the categories of information we

expect to be included.

CToibarrpocOao""neeondhfaefvocuqgonvveoetiilrm"uASrotSF1nniuuheerdnopeNhmnfsi8ffeecudarrsynvnl6ooomeedeartatsineemaensavrr,sw5Forgetllamtmubeldiigen3Cefreectiotlcotsnirghocoes,tabaatpMay0astidhuuihensitfttuarc.mmoaci0aenieiioiPetuOdrtooAbalofllhod0fi ssplFeessannoltueTnupieec'rfaecalsirr ntdiptreiiunrsernarlounrihmyiaesgiss eotn"xbelgg6ciobnr. ooeFetndpt2upsliehhroai8e, iedrctr,ocaieentwst0niash anatso,emspydnd9i,rodistntro0 ism,mdesla6i wor ltOg,fartot esr9 f moowhe5wauhsl sf,foisulreaa dvlaegce,-Ifiatmot hntscel sioaFah crrhairAnafc anaaanivrkrort"nf voo lbt yfon ttit eearrstaoehtoh iu oes msprrohrbenrejpsnemestyuur anfmacaoleittdrtptsacntim oi tesa,staohinsIidneolets temde s"ngndii ood tUo n.n"i mKas .   PiCt(fnAhroorrfponem"tOrhptoRoreBhhseeuintiflrguceer-olbef2dimtumyhptiulIchcia0nlaaacraeaeeifatg0bnrt,lpomtrldiie 'hooto8onersma.iuwmnG"rs)orgisstneepfaoronofesdccraptofnetraiaiiytagorrtaaetliim,lhzanculedcreenitrd  oansCiinintn atsvffooshioagomeoWmenratrrntmoianooihtamngwuidnmaegflenisotashuat"i tsitrotrt nnocmoiegonoc'hpfresnalhtduddtteWooodiairpotolgetd'ehssnla,dkee'i ktal.y ""fbfittC"appnorohToneeeafrehooheorsoPserkradpemniorlngolIaeleCnsidhamctnt Oltmttietesuiioowto,a dgrwi inofe shnauy"n hqeyaoli adeoul.gfp uerfeetsi n csht"t cteoehs hr ye hs ii nnier glp

The media continued to give Partnership

prominence to data protection  Together

and privacy stories. Proposed new with the powers for the ICO, data losses,  Ministry ICO enforcement action and crime of

mapping were all covered, and the Defence, DEFRA and debate over the surveillance  the Ministry of Justice, society continued. we published a "Hints

"Sunday Telegraph,  information. Visitors

who go to the organisation's website will be able to use the Personal Information Healthcheck to get

advice on how to

17 August 2008 protect their details'." BBC News Online,

"Virgin Media was today 23 September 2008 censured by the information

watchdog for losing the 'The ICO, which personal details of thousands We also coined the term "data regulates the Data

of customers. The Information protection duck-out" to give us an Protection Act, Commissioner's Office found easy descriptor for lazy and incorrect advises customers

the firm in breach of the Data blaming of data protection.  not to give out

Protection Act after a disc personal information

went missing containing to callers unless information relating to more they're convinced the

holders."  say they are.''

" " 21

Richard Gray, Sunday Sue Hayward,

Telegraph,  Consumer Expert

17 August 2008 at Women's Weekly,

17 June 2008

Our most popular publications

Rank Publication  Total requests

1. Credit explained booklet 39,900
2. Freedom of information - your guide to openness 15,100
3. Personal information toolkit 15,100
4. About us leaflet 14,500

Hints for practitioners handling freedom of information

5. and Environmental Information Regulation request  9,700
6. Data Protection Act (1998) - when and how to complain 9,400
7. The lights are on interactive data protection DVD 9,100

Freedom of Information Act (2000) and Environmental

8. Information Regulations (2004) – when and how to complain 5,900
9. Brief guide to notification 5,000
10. CCTV code of practice 5,000

We produced a series of data protection principle posters, which double as a wall calendar, to remind data protection officers of the principles of the Act.

Promoting good data protection practice and raising awareness of obligations

Following the success of our first  Data Protection Officer conference  

in March 2008, we repeated the event  in March 2009. Demand for places was high, and we welcomed to Manchester about 300 data

protection officers representing  

a wide spectrum of organisations.  ICO staff led workshops throughout the day covering security, communications, privacy impact assessments, handling complaints  and future data protection issues.

We have added to our range of guidance – including new guidance  on the meaning of "data", and on data security breach management.  

""dTrahwe IsChOo usl ady ms tahkaet calenayr s wuchha tp wrizilel

OmaaPticoIndrodsnruueoipdmvdsrnavrratestsipeevcimbufdslaayiyarysncoovinibnnyunenacyggrsifaelgflttDpnatrreirohnarndearimegt ctvtsdehheiapogadoescrrsnt truaygbaoi. mcgtayTcchpthnhiouii earctin iosnl.nstaaiayttc lt aebite aicObcwwni icoomrtooygntuailonvtnni ssrsoDisrdesfn knPteaheseetgo rrnobehqsoei idvil aabutgdnndast uenrceeciin ineslsydctkigoesns, hslctmcptSaoreaoarauyaamnnpmmnrcdtspkcptouaieeinhDacklnsttgeiegeauitndtnatonftogionoahftnfdromienn,"da"isferoupreomndpcnrtrcihiraamvsaoilivaellcuas nacplr,tteecyarhiaaowiygnni nrsneetdao.c","rwnctbo.hiodIchidatgmesese spn po"ra ifwnn tiie "lls TIPTIwmPJTRCnnahhrohrafanafooeoeyessorutramkeePParmlPlacmerrEMiesuoytsarutinsrametoar2usoictooinlio0nhdi ,spn o ADaene0yenPld saaa9isr t l nyto. r  aoamiDnaistea clear statement

November from the leaders of 2008. We The Observer,  organisations saying launched our 1 March 2009 that they value the Privacy by personal information Design report entrusted to them and

which explores will put the appropriate how Privacy resources in place to

by Design might be encouraged as a look after it. By the means of reducing the risks arising end of March 2009 from processing personal information.  88 organisations had

signed up including

in new projects is essential. We have Zeneca and Belfast promotedthe use of Privacy impact City Council. assessments, which have now become

mandatory for all government

departments following the

Tc2tspIwdtouoher0hcarnoed0eoiwcsprPn9uahtlienrthfl. itawtgvTefaiaacynhituliclli sereopclhy yagonc e trnoolhallwpeopodnec tardedioriitscv  rwatoiegalnrnawasacifldulnonyncnhsribosncmeppaadohlradptaeitervi it oepdocoaionnerrcfiagtnsnsyplc ayw aaJrtnn.aabni ochicnsdoeettau uinimctactieeroasynk. se ""aptCOatpP3Eoolrrerol0fexoerfstsmpstihcicaJcgeoeaemofiecnsnrenmitIeitiagansouiodolmnufsandon,aisaori Ear htrM"ypnmddtt qoleaeiaea u2wnad.rt"dr igt'0 f askgi ato0eh xente 9i yng, recommendations in the Cabinet

Office Data Handling Review by  Collecting information fairly

Sir Gus O'Donnell in June 2008.

and BT have

RpYCoeeauoasncepghls eipnt eugod  pyy loeu anreg more IImpslannooufutcsnlhciusceheiehbtytnlilnaeo.c gsTeift nhoomfgifsese tt wpcewrogor oy el ndiencptearcyabirebrsal ui t aowte mfee aadebh nstoatuoavurrettvyh  etdeihinolle qannue icreies ""OgcToufhmifdeicapeInnlychfoewarstmi tothoahttdeihoalepyn DopCruaogtbmaalinsmPihsr ieaosdttsieiooncnnetseiwo rn's aware than ever of to which we provided evidence. Both Act when providing information

their data protection the House of Commons Home Affairs about their employees under The rights, following ICO Committee and the House of Lords Transfer of Undertakings (Protection programmes targeted Constitution Committee published of Employment Regulations), the specifically at raising their reports which commended us law that protects staff when a

their awareness.  for our work. We published our formal business is transferred."

OAcatKdcraeocaiemusdrrmvysmroibeoepSmsar.,mseutsueudsstinsndaehi1svadese5aetnovegrUtrsuideaKicBntsayasirfvwcamoteurnreorpddsorsaeeinstingieetns rtCrabWoiUneehnefonqspeedLimpusoofaototirnirmalnrhtsniderdePostitssti oae enwtpEissedngPrsoueottsaderroo.vraokunTliesiEdprgahokia ueenemenec rdarg odhHetnNethp nruohUaveoetsmemipnld oft aoniieeenoor nrsennAt Rdsdtxc uwfeCtoretf erchay oevatpoieel moerncora sio EdlrHmarltmua.nonirwtni ounctuispeegllaeeel an "eAaT2xnh7lepdexlFaRTiei nMiibcmsrhotueahsasratr,drtyouF  u2nosd0rde0 r, 9 the Da"ta

"New good-practice guidance

from the Information Commissioner newspapersand discusses students' rights to

posters, and a framework decision. access their exam results. Entitled Facebook group "Keep Individuals' rights of access to

your privates private" examination records', the guidance was set up. Over 50 T2h8e ATuimguesst H2 i0gh0 e8 r Educa"tion, campus partnerships Protection Act students can request were established information about themselves,

during the campaign.  including examination marks,

scripts, comments and minutes

of examination appeals panels."

"The Independent,  TAhuethInodrietyp eonndtehnet aSpapfelicgautaiordni nogf their

"Plans to create a database holding vetting and barring scheme. information about every phone call, We were influential in the Home

email and internet visit made in the Office's plans to publish crime maps

UK have provoked a huge public across England, working closely with

outcry. Richard Thomas, the the Metropolitan Police as they

Information Commissioner, developed their own privacy-friendly

described it as "a step too far."  model. We cautioned against point WpghArpbaoaoaigonessvleimgcsecnlieeynorecdnngntyamgrtttfideiconreaurosuncrsmioenotitn'ffrnstgoaavote ctratiems-qihcnagbuteafioilacwtsuyripioeeldtieptinnaeohvlrcirne ctsUeohla.opKnrngTfor "tohiBouassvegosgd,eurrhvradea ntmesnmorcmeenedt "dcoatu"MaotiCnaThlgndotahrmremeciebenreoaeevmtCpndaCerotpiinosnotruiotsolnelinAeiovgdorcdneenniaStlrleoebsrncfiruaoiydmha'sstrolt ieswCpOhsoscalealafhsuh  ftnfiIeihlhoni cssndoafoetaotsll.gim'osnr c'fum"cfimiinnoidaaailealmltolrrilnoyegwicsnpeeiinno gtgrot

Robert Verkaik,  all police forces on how crime maps

5 November 2008 the risk of any unnecessary intrusion. automated clearance systems and Katherine Torney, The Belfast

identity cards for foreign nationals.  Telegraph, 13 February 2009

The opening of terminal five

at London Heathrow

Airport in June 2008

with fingerprinting of International

passengers provoked We contributed to both the

complaints. We held International and European Data

urgent meetings Protection and Privacy conferences. with the parties and We participate in the European Data the arrangement was Protection Commissioners Working

immediately suspended.  Party on Police and Justice which

The phased roll out of the national ptoro tvhied einscarecaosoinrdgi nnautmedb erer sopfopnasne identity scheme has started. We continue European cooperative arrangements.

to influence developments to ensure This includes the adoption of a

these are secure and minimise privacy

risk, and we have had regular contact Eounr tohpeepanro Cteocut niocnil  fo rf a pme er wso on rakl   dd ea ctaision with the Identity and Passport Service.  processed in the framework of police

and judicial cooperation.

We have provided data and private

protection advice on major public We took an active role in the work of sector initiatives, including advising  the EU Article 29 Working Party and the Department for Children, Schools its sub groups. The working party is and Families on Contactpoint and  part of the data protection framework

Case study

Reviewing the European Directive

In June 2008 we commissioned RAND Europe to conduct

a review of the European Data Protection Directive. The project assessed the strengths

and weaknesses

of European

data protection arrangements, and by inference the UK's Data Protection Act.

The draft of the final report was presented to the conference

of European Data Protection Commissioners hosted by the ICO in Edinburgh, in April 2009.

established in the EU Data Protection Directive. It has agreed opinions on the review of the e-Privacy Directive and search engines, working papers on children and privacy and pre-trial discovery, as well as clarifying the Binding Corporate Rules process.

We played a significant role discharging our other international responsibilities as part of the data protection supervisory arrangements for Europol, Customs Information System, Eurojust, Eurodac and the Schengen Information System. Our Deputy Commissioner, David Smith, was re-elected as Chair of the Europol Joint Supervisory Body for a second term of office.

The ICO has also hosted international delegations during the course of the year including Ethiopia, Vietnam and China.

International data transfers

We continue to believe in the benefits

of organisations using Binding Corporate Rules. This is a means of ensuring that individuals' information is protected when being processed outside the European Economic Area

by the members of multinational

groups of companies. It consists of legally binding rules which all members of the group must follow, backed up

by training and audit. The rules also create rights for individuals which can be enforced before the data protection authorities or the courts in Europe.

We have been working closely on the drafting of Binding Corporate Rules and helping organisations with their discussions with other data protection authorities in Europe. In September 2008 we signed up to a policy of mutual recognition and, with our colleagues at other data protection authorities, we have produced clear guidance on the necessary content. We expect that these developments will significantly reduce the time taken to get approval of Binding Corporate Rules.

Serving the differing needs of communities

We responded to concerns about how we engage with civil society organisations by setting up quarterly meetings. We also created a modest travel bursary to help ensure that a range of views are represented at events we organise.

Reaching regional audiences

Our regional staff promoted information rights, by hosting events, attending conferences and through speaking opportunities.

For example, in Northern Ireland we've met with the Chartered Institute of Public Finance and Accountants, the Judicial Appointments Commission, the Chief Executive's Forum, Queens University Belfast, the Records Management Society of Ireland, the Police Service of Northern Ireland, the Children's Law Centre, the Northern Ireland Local Government Association, the Northern Ireland Federation of Housing Associations, the Belfast Insurance Institute and the Northern Ireland Citizen's Advice Bureau.

Given the devolved nature of Freedom of Information in Scotland, we focus on data protection. This year we met

with a wide range of stakeholders

including: the National Data Sharing Case study

Forum; Scott ish Higher Education

Practitioner's Group; NHS Information Reaching regional Governance Network; Scott ish stakeholders

Insurance Forum and the Association Information sharing

of Chief Police Officers (Scotland).  in the Welsh public

A notable involvement was the sector was the main Assistant Commissioner's membership talking point of a

of the Scott ish Government's Expert conference organised Group in IT Security, which was by our Welsh office established after the raft of high early in April 2008. profile public sector data losses. Attracting 200

"""CI(rfnKIurCoofleoemOmnrfm)m oMc,rshai asaktilcsiieddoidoernoehnpnneCein.ar"oogldfmpoD,prmANoSsisAssces iossdiot tal aanamnnen"ptyrd' l sebaslOta ntfhfkieecte "dtsphispn"hptoerrSfaaoreolwoepyctargueeitmkntiagcaceogtatkhareistisdoolnishfoaunpgoaftntrccrratooWeowouvmmsatihdhloipeelesnsldita,ant.

The Scotsman,

24 September 2008

" BTirtnwneoohefil deoetlofearamnAmslseyseat aspakNitinevesieofatriowsantilornamswmnbtLo alaebesrt.uet"iott enr,

"The ICO has ordered the trust, Commissioner for

which serves patients in Bridgend, Northern Ireland said Neath Port Talbot and Swansea, that it was not

to sign an undertaking to process within the spirit of personal information in line with openness – which

the Act."  freedom of

The Western Mail,  meant to encourage

24 January 2009 – for departments to

Belfast News

Letter,

"27 25 September

2008

4. Resolving problems

Meeting customer needs

Our website received 20% more visits than last year. We added a new search facility, made our homepage more topical, provided a newsfeed and a space to promote the latest news. In line with customer feedback, we started a programme of new user-journeys, focusing on specific sectors and life events, with journeys on education and crime added to the site. We also published new pages on customer service commitments, an online event registration form and a new online enquiry form. The ICO now runs tailor-made plain language training for its staff, in response to customer feedback.

The ICO helpline

Our national helpline is there to provide advice to the public and organisations. Demand for this service has increased steadily in recent years. In 2008/09, the helpline received 112,767 calls. 92% of these calls were answered in under one minute with approximately 50% answered in under 30 seconds. We pride ourselves on the quality of advice we are able to offer through our helpline across such a wide range of subject matters.

Calls to this service range from individuals unfamiliar with the legislation, to organisations wishing to understand whether their latest business proposal is likely to be compliant with the legislation.

Notification helpline service

83,937 telephone calls were answered on the notification helpline with an average waiting time of 20 seconds. 20,673 written enquiries requesting notification guidance and information were responded to.

Calls received by our helpline

120,000

110,000

112,767 100,000 103,475

101,835

90,000 94,819 92,841

80,000

70,000

60,000

50,000

2004/05 2005/06 2006/07 2007/08 2008/09

"research behind Fctphrrooaemngerwedpseolsahmaiantd ytopesrafo rij enecnftdoehdrma. (dOaruitsrie opnln abny 6%. Ohthauenrdsclteaessp egs ertenhceaertpa nlt eifore ende p  dt rooo  mbcee os tsfaeksen

"Friday saw the helped improve efficiency. The Information We closed 3,019 cases, 13.5% more unit receives the new freedom of Commissioner than in the previous year, and more information complaints and

telling the NDA it

was right to was to close 2,700 cases, and we information enquiries. Many withhold from exceeded this by 319). However, we complaints are resolved publication a 2004 received 3,100 new cases, 17% more informally, by staff contacting the draft of the report than we had anticipated. The result relevant public authority; some

on geological was that the number of cases in people simply require advice on possible sites for a At the end of the first quarter, we before we can handle their

geological storage closed more cases than we received complaint.

facility for Britain's and were optimistic that we could do

nuclear waste." more. We used our increase in funding We had been prepared for a dip in ""oCJTafohnHneesa'CtsmahPbpieuosflhl"a i Ccirreyeo  nh sa tsable

to recruit new, permanent, case closures during the third quarter, New Energy Focus, caseworkers early in the year, in to take into account the impact of

11 August 2008 Wilmslow, Belfast and Cardiff, and  training and coaching new staff. We

we prepared a comprehensive training managed to close more cases than package. The first new staff arrived in predicted - over 700 - ahead of our the second quarter, and we started to projected closure rate of 675.

seek secondees from government Unfortunately, we were beaten again departments, most of whom arrived by the number of new cases coming in the third quarter. in – over 760.

" Hotohwere vperer,v diouurisngqutahret esre. condand closed sincquartFOI cer, omplaints rThwe 2005ihgitehhefec7irneiv7laelmvedqeuolsar erot  fte hrna eonwf wt cheae  sbyeeesga, arbn rs. ianwgi negven

been ordered by the the number of new cases we received the total for the year to over 3,000. ICO to reveal what began to increase: 764 - our highest The final quarter also produced good type of cars the ever. Nevertheless, our closures for closure figures, but we were again force has given its the quarter were also record breaking: unable to keep pace with new

chief officers."  769, significantly more than in any incoming cases and ended the year Review,

29 August 2008 Total freedom of information complaints received

3,500

3,100 3,000 3,019

2,658

2,601

2,500 2,713 2,646

2,592

2,000

1,666

1,500

2005/06 2006/07 2007/08 2008/09

FOI complaints closed

Pnobfuer etwndethicwceat  scirneeagass el ittshywe w  enauhsmaad bs reiegr cn oeifif ivc  eadnt Iucanonsf mdotorepmaflaurailrntytitohrsneetsrThodralieubtvtuwieonel ano l hp w–athnhhedaerl s eep . eo nli ac by l  elindes "in Stowmarket." Predicting the number of cases  we need to take. As a result we are "The ICO has ordered

we are likely to receive is difficult. able to apply a quicker and more the authority to Forecasts were based on the number consistent approach to the release a contract

with a commercial previously, and on the best available partner, including

data on the number of freedom of These improvements should enable us the financial details, information requests to central to close over 3,000 cases again next about repairs and government. Neither suggested year. Our twin aims will be to keep on maintenance at Mid anything other than a modest rise, top of new cases by effective triage Suffolk leisure centre

increase in both freedom of appropriate, and to focus our

information requests to departments remaining resources on targeting and The Ipswich

cryrrdreeeeaeumfqmnareuirnarac.ergiioDennsndtss2etsf0ottrophoou0rielrtu9aoesfsd/uoa,t1drchwm0iucete eisaaoi snhnafneocadsarrv  clfeoeotrlaouehrnssr se2e  ouof ctu0ruienonmr0smcdc8aeai aind/snnsg0eged 9 s at. nhyat ""btaRhnyeeda jepnmcuotbetinl mircge b "luaaent rredeodeqfr  ut oest and in complaints to us.  closing our oldest cases. How this Evening Star,

translates into reducing the current 3 July 2008

While we only have a limited amount caseload will of course depend on

of control over new referrals to us, we how many new cases we receive.

Our aim is to improve efficiency.

We have strengthened our approach

to the triage of new cases. Most of

our new staff are now fully trained. freedom of

Our experience of dealing with cases information laws for

- and subsequent appeals to the the correspondence

to be made public,

the ICO said it was

of a "personal nature" government policy."

JD1o9ah iFlnyeCbEhxruapapr"ermysa s2n, 0,09

Freedom of information casework

(All days are calendar days)

Received in 2008/09 3,100 Closed in 2008/09 3,019

Work in progress 1,440

What happened to the 3,100 cases we received?

Closed in 30 days or less 47% Closed in 90 days or less 62% Closed in 180 days or less 65% Closed in 365 days or less 67% Open on 31 March 2009 33%

Age of work in progress on 31 March 2009

0 to 30 days

31 to 90 days

91 to 180 days

181 to 365 days

One year to 18 months 18 months to two years More than two years

Age of closed cases during 2008/09

Age of cases at closure Target Actual 30 days or less 50% 52% 90 days or less 60% 69% 180 days or less 65% 73% 365 days or less 70% 82%

0 to 30 days 31 to 90 days 91 to 180 days 181 to 365 days Open

0 to 30 days

31 to 90 days

91 to 180 days

181 to 270 days

271 to 365 days

One year to 18 months 18 months to two years More than two years

What were the outcomes of closed cases?

Informally resolved

Ineligible or not an application for a decision under section 50 (the right to complain to the ICO)

Decision notice served

No internal review carried out by public authority

Other (re-opened)

No action required by the ICO, or the complaint withdrawn by applicant

Sector of closed cases % Local government 39% Central government 30% Police and criminal justice 10% Health 8% Other 7% Education 5% Private companies 1%

Outcome of decision notices

Total decision notices served

296 2008/09

Complaint upheld 105 Complaint not upheld 38 Partially upheld* 153

Complaint upheld

Complaint not upheld

Partially upheld

*For example

ICO ordered some disclosure but not all.

Appeals to the Information Tribunal

Total appeals since January 2005 322

Outcome of appeals

ICO decision upheld

ICO decision overturned or varied Appeals withdrawn

Appeals in progress on

62 31 March 2009

Appealing parties

Complainants Public authorities

We issued 296 decision notices Public authority:

under the Freedom of BBC

Information Act and the

Environmental Information TanhneuICalO s toa rf df ecroesdt st hf eo r B EBa Cs t te on dd ie sr cs lo.  se Regulations. The ICO's decision followed a request

All are published on our website.  to the BBC for the total annual staff

costs for the programme and the Public authority: annual value of performers' contracts.

House of Commons

Public authorities:

The ICO ordered the House of Cardiff County Council, Caerphilly Commons to release the spending County Borough Council and Rhondda details of seven MPs in Wales. This Cynon Taff County Borough Council follows a freedom of information

request for the amounts spent by the The ICO upheld decisions made by seven MPs on circulars and reports to three local authorities across South their constituents since May 2005. Wales that details relating to the

number of exclusions from named Public authority:  schools in the region should not be

Commission for Local  disclosed.

Administration in England

Public authority:

The ICO ruled the Commission  Mid Suffolk District council

for Local Administration in England

right to refuse a request for copies  The ICO ordered Mid Suffolk District of legal guidance relating to its council to release a contract with a handling of requests under the commercial partner, including the Freedom of Information Act,  financial details, concerning work to the Environmental Information carry out repairs and maintenance at Regulationsand the Data Protection Mid Suffolk leisure centre. We didn't Act, because any information it held accept the view on this occasion that was already publicly available. releasing the contract would be likely

to prejudice the commercial interests of the council or the contractor.

Public authority: Department for Transport

The ICO ruled under the Environmental Information Regulations that the Department for Transport must

release information relating to the proposal for a second runway at Stansted Airport.

Public authority: Public authority: Nuclear Decommissioning Authority Cheshire Constabulary

The ICO ruled under the Environmental The ICO upheld a decision by Information Regulations, that the the Chief Constable of Cheshire Nuclear Decommissioning Authority Constabulary refusing to disclose was right to refuse a request to see information on the grounds that the the draft report into potential areas  request was vexatious. The ICO

of radioactive waste storage methods believes that complying with this in the UK. The ICO agreed that the particular request for information draft report represents a dated review would impose a significant burden and that the final report, already in  on Cheshire Constabulary and that the public domain, provides a more the intention behind the request current guide to where the Nuclear would have the effect of harassing Decommissioning Authority intends  the force.

to focus its future activities.

Public authority:

Public authority:  Vehicle and Operator Services Agency Health and Safety Executive

The ICO ordered the Vehicle and The ICO ordered the Health and Safety Operator Services Agency to release Executive to disclose the names of the details of 22 non-safety recalls. individuals who have died in  These will not affect the commercial work-related incidents - but only after interests of manufacturers.

the coroner's inquests had opened.

Public authority: Public authority:  Ofsted

The Ministry of Justice

The ICO ordered Ofsted to release The ICO ruled that the Ministry of the names of 29,970 child care

Justice was right to withhold the managers and their relevant place  minutes of the cross party group of employment in England.  

meetings on House of Lords reform.

The information is exempt from Public authority:  

disclosure under the act as it relates  The Cabinet Office

to the formulation and development  

of government policy.  The ICO ruled that correspondence

between Diana, Princess of Wales, and Public authority: the government should not be released Ofsted on the basis that the correspondence

is of a personal nature and does not The ICO ordered Ofsted to release a comment on government or  

redacted version of the handwritten public policy.

evidence forms completed during an

inspection of St Patrick's Primary

School in Bristol.

"foavceer lcelgaaiml asctthioeny

""bwbwtsdjsSS"BwToTMouaolahturaboiaOiitbetuetn4docnsrhaisvP gsk,rket0Ibycene7huehelebiearfs drncttkHicosussMbthoiedoottereiaealmoremaamdndwdsnor"tr iv ,pdnaalfptc4katitenahtgaoah3hneo0tinkoyo neds f,n2ab2si.sniime", ere.Ie0 0T mCssUfaoh00Oj psore9er CTuiTbcaciuGannoopcnhlnhudaadcnpniecaouceesssraukrsnesotirdedltsIreisairswCvueantyscttcrnerethO,tetwtlyrfiyrenduiveooa ii einrhardtbnusswyeirngtuynlioe.lansssdfP:pwapduotpcshedahuiritkocoirmepslaae inltoCterbitaasrsknirl hctnyie,tlssi as.gowo–utTmtnooncirhhnofbhaasewttepnttaehlorediarssleraaoutkttcniph nrcoiale ,ane vtd or eirtte foihrig ct tneh hlet e ocooiwchATcitnthoooahvvrsdhdenmvmeeeshuiiceortrfiasinpmafhnc31dtsidaictinreu,,ianeu06wduyinbtnils.le00eliottsiogtRngss00crrfnet  ekoymrwwi'cennipfs.rbooihdcaheepesrreimoidecedcdeinprhhsose4dtvl ytpesowwa0eihsclpeatwetTeoecaenphrstuhocimdeelo.eleoonda adangsCrcwhltesescororatdeeotaunnrvrcrwucttsreedoaoectuo riwimctliondtnriooknieosadnvndrdegioeknexnrinegd

in the summer of 2008 called The

Enemy at the Gate', and the

Information Commissioner's Office

started to investigate.

face legal action for Our investigation revealed that a large

allegedly buying construction company appeared to

secret personal data be carrying out security checks on

about thousands  potential employees and

of workers they subcontractors. The process seemed

to be operating in breach of the data

employing them. protection principles. It denied people

basic rights, including the right to

Commissioner, to challenge the accuracy of the

Richard Thomas, will information held about them.  We knew that people would want to

know what information was kept

today publish a list

about them and what action they

of the companies he The ICO applied for a search warrant

could take. It would usually fall to the believes may have to enter the head office of the

company concerned to respond to broken data construction company. This was the

these subject access requests. protection laws, first time that the Information

However, we had serious doubts

after an investigation Commissioner's Office had applied

whether The Consulting Association by his office that for a warrant to investigate a breach

would do so. We first served them

was sparked by of the data protection principles

with a special enforcement notice

fears that many rather than a criminal offence.

requiring them to refrain immediately workers were being

from obtaining, using or disclosing any unfairly blacklisted." We found a link to an organisation

called The Consulting Association - of the personal information contained Rob Evans and the custodian of a covert database in the intelligence system and also to

36 "

Phil Chamberlain,  containing information about people refrain from altering, erasing or

who had worked on construction destroying the information. They were The Guardian,  sites. In February 2009, we searched also told that we would prosecute

6 March 2009 their premises and found an them for not having an entry on the

intelligence system which included data protection register.

"abo"acIstnuPhhobfteeonuootsusrbhptmelldraeldueacmbc'btkseti.yloiirWospniKgtnr.ieahC" tirnihtosrsdiemnauwdnsmsedfteorrivsteyrhes: egeintoxhr nadp"eevaoeryslisyn, gwe DPC(AthPsroeaiEgvmtleeCaangm Rceipsyr)lraua  olctanipotaniuencsdbcaealinttcEwiidoloaeowtnnhcra setkar rer Rnoondelenesg ioscufoltafhbteio  oItChnOs

Henry Porter, The Guardian,  continues to rise, so too does the

7 March 2009  number of complaints and enquiries referred to our office. In order to

respond to the rise in demand for

When the Consulting Association

our services, we began the year

said they intended to stop trading

with a substantial restructure of immediately, we took the

our casework departments. We unprecedented step of setting up a

re-deployed resources to provide system so people could contact us

additional expertise on the front line, to get access to the information

allowing for the early resolution of The Consulting Association had held

more cases. This enabled our

remaining casework staff to focus had set up a new construction

on cases which require more time- industry helpline service.

consuming investigation.

On the day the Consulting Association

The number of cases received story broke, we had a record number

increased by 3% to 25,509.

of visits to our website. The story

We closed 23,406 cases during generated over 200 media items,

the year, a reduction of 8.5%. including the front page of the

Productivity increased during the Guardian, and ICO staff did around 15

year as we trained 25 new staff TV and radio interviews.

(57% of our total data protection

case officer workforce). During the For many of those who rang our

first half of the year we closed helpline, we were able to give

10,195 cases, and during the second immediate reassurance that their

half of the year this increased by details did not appear on the database.

29% to 13,211.

Others were provided with a copy of

all the information held about them,

The proportion of casework we along with information about the

are now able to resolve at first options available to them if they

contact increased significantly wanted to take further action.

from approximately 30% – 40% in 2007/08 to 70% – 80% in

The service will remain in operation

2008/09. The structural changes for around six months after which the

increased our overall casework ICO's copy of the database will be

capacity by the end of the year destroyed. At the same time the ICO

without any additional financial

is making further enquiries of the 40

investment.

construction companies to determine

the extent of their involvement

in the activities of The Consulting

Association.

Overall we ended the year with 2,103 more cases in progress than we had at the start. We have made improvements to our ability to capture management information. We can now report work in progress' from the moment it arrives at the ICO. The effect is to show a more accurate figure which we were unable to do in the past.

If you compare our work in progress figure with last year's, you will see a rise of 5,205. 2,103 of these are true additions to our caseload – the remainder are the result of our improved management information.

In the first quarter we received just over 1,000 fewer cases than our forecast of 6,250, and we closed 4,791 cases. Excellent progress had been made with our restructure, and additional casework responsibilities had already been transferred to our front line teams.

In quarter two we received 5,924 cases, again below our 6,250 quarterly forecast, but significantly higher than in quarter one. Case closures increased this quarter to 5,404 as our structural changes began to take effect. Recruitment initiatives took place and we prepared to welcome the first new staff early in quarter three.

Data protection complaints and enquiries received and closed since 2005

26,000

25,592

25,000 25,509

24,084

24,851

24,000

23,988

23,000 23,406

22,059

22,000

21,887

21,000

20,000

2005/06 2006/07 2007/08 2008/09

Data protection complaints received

Data protection complaints closed

Quarter three was dominated by recruitment: we filled approximately one third of our 25 vacant posts during this quarter and the impact was immediate. We received 6,562 cases in quarter three - higher than the previous quarters and significantly above our forecast. The number of cases closed rose

to 7,098, an increase of 31% on quarter two.

Quarter four was dominated by welcoming new staff. We closed 6,113 cases, just short of our target but a positive indication of what we could expect to achieve once our new staff were trained. The unpredictable intake of new cases continued with a record 7,812 coming in, way in excess of our experiences to date and significantly above our forecast.

If the trend we experienced in quarters three and four continues, we are likely to see a 15% rise in new cases during 2009/10. Analysis of the new cases received during 2008/09 shows there was no single issue which dominated, whereas in the past 10% - 20% of all the cases we receive have tended to relate to a single significant issue.

Our experience during 2008/09 points to a more sustained and long- term rise in demand for our services. We plan to continue to engage directly with our customers to further develop our understanding of what drives the demand for our services.

Data protection casework

(All days are calendar days)

Received in 2008/09 25,509 Closed in 2008/09 23,406 Work in progress  6,442

Age of work in progress on 31 March 2009

0 to 30 days 31 to 90 days 91 to 180 days over 181 days

Age of closed cases during 2008/09

Age of cases at closure Target Actual 30 days or less 45% 30% 90 days or less 95% 81% 180 days or less 99% 93%

0 to 30 days 31 to 90 days 91 to 180 days over 181 days

Outcome of closed cases

Advice and guidance provided Ineligible complaint

Breach likely

Breach unlikely

Other

The top 10 business areas generating the most complaints where the sector is specified

The top 10 reasons for complaining where nature is specified

5. Enforcing

EoToenhfnffiosofiunoryrcef refaocrmreriehnemdangsota mtsfteeriaoeeomnfen i,tn dwhfooehrmeimcxhap thaianossn iolend  iraONmneuonlasattedhott eioimgonrosngeitioshgivehdanesimpiefrasixycnCabapdminetoyTttpswhiiClmteeeiovopeNuenfr nao w tcttvhhioioeli esrwnmk iIasiChenl inOgActhr, cipnhhuaiibtvsselics. ""ooTfrhdHeeerDeadlet pht aohraitmmspberenoetvne

how it keeps official

to an increase in enforcement action. request handling processes. In contrast records, amid

Practice recommendations were however, Liverpool City Council has concerns over its

issued to the Department of made very limited and slow progress handling of freedom Communities and Local Government  and continues to be a cause for of information

and Greater Manchester Police. concern; we will continue to monitor requests."

its performance closely.

In addition, and following a records

""bdabaInTfeeyffthcpooeteoarrhr mmmrDebt amareeIneltpetaifpoaohncrrnearthtm c mAitfntoiacrigecsttbneit.to"ethgrneoeios CfcvFsoHoeuremrmeeenda"mmdmltwoehiesmnintshdhtiaooasnftieorn  WspcT21etifspnhrttonuhr0otraeoAenfbeeam0noapfhlrtuiscorc9vecrasctaeitrega  lveremiaavnty2ptemniotoetoui0tteddifoenroymog0eesmnnnysvlw9ltotoy.ecreoT.wnouishrltnTt hoitcekhteahihr ipott asmasaateuoecr thttwpriredetsneeiaciungtivgdrlalorbclgsyee. amsoloamqitwwesendeupihnoendeighillref nlics yi uaeorcdsiletnsmurohtloic igcadnfnmereseurekipntemnMolssawrttgf vatsesatricioootnrnoathcrmt ginouyhcdut er. "KTT1"ctIwwnThe0hhafiihelltaotelehMeerbrFggDmrooeaDreea ffaramefefoicptilidccvyfihehooiile eaa"" in2montlnls i0An, bfnoofol cg0 rirfndtoc9 e ymin , i gn management assessment carried

out by The National Archives on behalf

of the ICO, the Department of Health

received a practice recommendation

in relation to its records management

practices. Previous practice

recommendations have resulted

Northamptonshire County Council

to ensure the

Health Service Journal,  authority complies

10 April 2008 with the law."

Northamptonshire Chronicle and Echo,

19 January 2009

""bpInTrrfeohoaetrec mHchtaoeitomdiondenl aaOtwaffs i  cwehen Enforcing data protection  StFa2reoon5ecdllciIompCCuwieiOrulliniinstottgysno   tmabrhenr escde oola otrfhsdc tesshw irbe ooycfs  h C  cHr ihlDe Mdip lsrd e  Ro cnbeor evit nnnee t enad fi un  itein g

one of its contractors

lost a memory stick November 2007, we began to record containing all instances of data security breaches. information on

thousands of Enhanced powers and penalties During 2008/09, 319 breaches were prisoners, the Following our What Price Privacy' reported, making a total of around

report the Criminal Justice and 400 since we started records in Commissioner's Immigration Act (2008) introduced November 2007.

Office ruled the possibility of custodial sentences

yesterday."  for those convicted of the offences of All of the reported breaches have unlawful obtaining, buying and selling been examined by ICO staff.

"boards sign" an WtJuheset asiclasemot eowAdelcectvo,emolofe padspttohawetuientrot rfrooyrd gutuhcietdioannc, ien e• nDfoerpcaermtmeennt tn footricCe o. mmunities and Jimmy Burns, of personal information. We welcomed

Financial Times,  this development and are continuing Regulatory action has been taken

23 January 2009 to monitor the incidence of these in 12 of the more serious cases.

offences with a view to building a case The regulatory action taken ranges for the custodial sentence provisions from the obtaining of an agreed

to be brought into effect. undertaking to the issue of an

"The Information

Commissioner's

Office has found NHS Commissioner to impose monetary Epnrofoterccetimone nbtr enaocthiceess for data Tayside and NHS penalties on organisations for serious

Lanarkshire guilty of breaches of the data protection Six enforcement notices were issued breaching the Data principles that occur as a result of during the year. These were against:

Protection Act. The conduct that is knowing or reckless.

ICO has demanded This is a major step forward and we • Camden Primary Care Trust

that both health are now working with the Ministry of • Consulting Association

agreement to follow and to set the maximum penalty so Local Government

the Data Protection that the power can be brought into

Act and stick to effect. • HM Revenue and Customs recommendations • Leonard Cheshire Disability

made recently by In the meantime we have continued to

• Ministry of Defence

NHS Quality press our case for the power to

Improvement inspect the processing of personal

Scotland to make information by organisations without

sure that it does not necessarily having their consent. We

happen again."  are pleased that the Coroners and

Justice Bill, which is currently before

42 "

The Herald,  Parliament includes provisions

27 November 2008 applicable to public sector

organisations. But we continue to

argue that the private sector should

also be covered.

F1td•••••h4uo2ANBHHCerrrfgbaHaaienDmoreemsSngertatrmatipthtTntTalTasherragweuuh urelPsasisnueNrryctateond.eH.Bhndt PeaidrSeneorarcg.rRFrtttTMtooa Pianohutkkoreenhini rmi rny  en gsAdgraahg wacs rnPitstpeyinnrowr iNwoCmenet Ha gfa Trt rr SerreooUuy   moTnTsb rb rtir:vuu.et essaa trticn s.h ie tyd WoDaAD1hthgave2neouafoueueladsdl evgtpruclhcciteioiaotntnnhooorhevrgmtcnrtmmteeeelirmmtutprseuDhmpyndlrseeiiel.msanreteunnis,nvvdtyntet,wecoeetinfocdderralohavtraerairactgeltdpwsnwiuaWidnoeatddngoepnroaoiitVtsasosratmsnarkerphla.gtstuheoeTnmaioamoinrthncdnsnect ledcibespssnohhea p.PotnL iaetrnOsres idivc coo, htnuftekt engaahshcts nslrvie hetaos saeeemeninndcbsdgmteoeer,n "CeobvacrLleeixouavoobacpltetmmldeooserrreerrbmmafpdsrseal.li "asiaawnrDsetdntgseeiudsti2domohr""ti5nfncpooe0gtohchrn,ora0eacn0tee0rn"

"Nick Clegg is facing embarrassment after the Information

• Home Office participated as part of an agreed

resolution to identified issues. Positive

• NHS Lanarkshire feedback has indicated value in both Daily Express,

• NHS Tayside  the engagement and in the reports. 17 September

• Royal British Legion Club 2008

• Southampton City PCT Aasddthiteio fniraslt s sttaefpf  hina vthee b deeevne rl eocprmuietendt

• St Georges Healthcare NHS Trust. of an audit capability focused on the

• Stockport NHS Foundation Trust.  challenges raised by organisational

data losses and the potential new

• Tees Esk and Wear Valleys NHS powers to spot check public

Foundation Trust.  authorities.

• Virgin Media Limited

Enforcing Privacy

and Electronic

AInuNdoivt ember 2007, following the Communications Regulations

announcement of the loss of details  Three Privacy and Electronic

of the recipients of child benefits, the Communication Regulations

Prime Minister gave the ICO the  enforcement notices have been

power to spot check government issued this year. These were against:

departments.

• The Debt Collectors Ltd

–for unsolicited marketing faxes

• The Liberal Democrats

–for automated marketing calls

• Weatherseal Holdings Ltd –for live marketing calls

""ntdShoeeaat lilefIsCyewOmhi itmafhsasiaaleenlddf awttoaith ETatwornhvanhdeenosrstp uitphsrhiearnpeir cnperloiaunpgcsbca etlyloi scy. psrTeurigehnarpgegra.i o nsppstueieesbrrsaol ioicfstn insooaohpl noteiufsnilcndnaektsoinsoto naiwfnyd  P–1ffoo0r rufoorfaasraigillceiiannccngogiusut aontttit ooinaoonnnnttssisofw. yte–ifresyi  xp r so os lie cc itu ot re sd and

controller despite

information and how this is being

consistent reminders

done.

from the ICO. The Publicising our enforcement Data Protection Act Through 2008/09 the number of  action and prosecutions

states that any

data controllers on the public register

organisation that We aim to seek media coverage

increased to 317,165: a rise of 4%  for the enforcement action we take. individual's personal The damage to an organisation's

information may be reputation can in itself be a deterrent.

Over 40,000 new notifications were

required to notify the

received, of which 3,472 notifications

ICO and pay a charge We issued news releases on data

were as a result of directly contacting

of £35 annually." protection enforcement activity,

accountants, solicitors, recruitment including prosecutions for non- Accountancy Age,  and employment agencies. notification of solicitors and

be probed b"y

31 March 2008 accountants, the enforcement notice We plan to target other business on the Liberal Democrat party for its

sectors that are under-notified. cold-calling, enforcement action on

Virgin Media and the Department for Some 282,000 notifications were Communities and Local Government

renewed for a further year. We and the undertaking signed by the continue to issue automatic letters  Home Office for the data loss

to businesses that fail to renew, and containing information on prisoners. "of data protection woOrvhgeearrne7isn9ae,t0cio0ens0ss abthruyas tiwndeeoswsneiolslt  p uruep rsdspauot een tddh .ose Tprehrtoeegrnertaiwmonemroeef sai nlosfono rstmheeva etcriooalnll ef, ecinat citoluunrdeainn gd

"Poole Council is to their register entry. Panorama.

the Information Changes to the notification

Commissioner's fee structure

Office after The government is keen to ensure that

allegations that  the ICO is adequately resourced for its

it has secretly data protection functions.

collected personal

information in breach We worked closely with the Ministry

TJ5ohJueur nMneau l2,n0ic"0ip8 al oscacionhfnntaJciunscesugip2tletaic0attet0ehi odet0on.tf .ehTrAeeehvs issg ieatoirwnrvu ecectslruthunudelmr tee,c dei utf n oarit srre wnnoitl tlfiefyeing.

laws." structure, which has been in place

Prosecutions 1 April 2008 to 31 March 2009

Date of

Defendant Offence Court Plea Result Sentence Costs

hearing

City of London £300 + £15

David Darko  S17 22/04/08 Guilty Convicted £539.20

Magistrates victim surcharge

Samuel City of London £150 + £15

S17 22/04/08 Guilty Convicted £539.20 Koranteng Magistrates victim surcharge

Christopher Wimbledon Fined £200 per

S55x2 20/06/08 Guilty Convicted £400.00 Hackett Magistrates offence (£400)

Wimbledon Fined £250 per

Darren Whalley S55x2 20/06/08 Guilty Convicted £400.00

Magistrates offence (£500)

City of London £400 + £15

Aziz M Arian S17 29/07/08 Guilty Convicted £518.40

Magistrates victim surcharge Satishkumar Harrow £300 + £15

S17 20/08/08 Guilty Convicted £483.40 Lakhani Magistrates victim surcharge

City of London £450 + £15

David J Wenham S17 17/09/08 Guilty Convicted £587.40

Magistrates victim surcharge

Haider Kennedy

City of London £350 + £15

Legal Services S17 10/12/08 Guilty Convicted £525.48

Magistrates victim surcharge

Ltd

City of London £150 + £15

John Harris on S17 10/12/08 Guilty Convicted £504.48

Magistrates victim surcharge

Kumar City of London £250 + £15

S17 10/12/08 Guilty Convicted £504.48 Bulathwela Magistrates victim surcharge

Philip Charles City of London £300 + £15

S17 29/01/09 Guilty Convicted £509.35 David York Magistrates victim surcharge

Michael  City of London £250 + £15

S17 27/02/09 Guilty Convicted £250.00 Robinson Magistrates victim surcharge

Gumej Singh  City of London £250 + £15

S17 27/02/09 Guilty Convicted £250.00 Virk Magistrates victim surcharge

Thusita City of London Not £100 + £15

S17 25/03/09 Convicted £717.05 Weerakoon Magistrates Guilty victim surcharge

5 cases were withdrawn

Number of premises search warrants applied for = 15 Number of cautions administered = 9

6. Developing and improving

Supporting our staff

We have continued to embed and develop our approach to Human Resources. The aim of the Human Resources Strategy is to ensure that our approach to recruitment, leadership and development is professional and emphasises our commitment to building, rewarding and retaining a diverse, talented and motivated workforce.

We have placed great emphasis on ensuring that our staff are equipped to do their job - the performance and development review process and learning and development strategy have been well received.

Staff have told us that they value the

learning and development they receive Case studies

at the ICO – our staff survey results

exceed the public sector norm in this Staff survey

area. We have developed a significant Results of our most induction programme to ensure that recent staff survey new staff are able to carry out their in January 2009 roles as quickly as possible from have shown marked joining. We continue to provide training improvements in

to staff on Plain English skills, HR attitudes towards policies, equality and diversity and  the organisation

the highly successful Information both as an employer Systems Examination Board certificate and a service

in data protection training. provider. 91% of

staff understand our We have commissioned further work corporate aims and through a staff working group to 88% are committed explore staff perceptions of bullying, to helping the ICO harassment, discrimination and  achieve its corporate unfair treatment at the ICO – we  objectives.

are committed to eliminating any

form of unfair treatment.

Equality and diversity

Staff from across

the organisation make up the Equality and Diversity Committee. Meeting regularly they have driven changes and ensured that we continue to implement the equality and diversity strategy.

Case study

Stakeholder research

In 2008/09, we ran the first stakeholder perception research to understand how our key customers see the ICO: 71% gave the ICO an overall satisfaction rating of excellent or very good.

Protecting and promoting the ICO's reputation

We reviewed our Communications and External Relations Strategy, to ensure it will help us meet the challenges of the next three years. The emphasis is on anticipating customers' information needs and making information rights issues relevant to everyday life. Our communications objectives are measurable by our market research programme, the results of which are published on our website.

With freedom of information and data protection stories such as MPs' expenses, the Consulting Association and surveillance dominating headlines, media coverage was strong this year. Our e-newsletter is proving popular, with around 6,000 subscribers.

To sign up, go to www.ico.gov.uk/enewsletter

The ICO's External Relations and Communications Department won the prestigious Chartered Institute

of Public Relations PRide award for outstanding in-house PR department.

We continued to improve internal communications, launching our staff competencies booklet to improve performance and completing the implementation of our staff engagement programme, to encourage initiative and involvement.

In line with our diversity and equality programme, we published fact sheets and held staff briefing sessions to raise awareness and understanding of the issues. We established our carbon footprint and started a project to reduce it, and ran internal initiatives to mark Green Week and European Data Protection day.

Information technology

A two year programme has begun

to replace and improve our ageing IT infrastructure to support new and changed business requirements.

This signals the start of a significant investment in IT which will also result in the replacement of our older legacy applications.

The benefits of the programme will be increases in capacity, resilience and security and a reduction in support effort and power consumption.

Infrastructure and ways of working are being developed to ensure the advice and good practice we recommend as an organisation are followed.

The overriding priority is to ensure that the new infrastructure provides a firm foundation suitable for our business requirements and as a robust platform for replacement applications. During the year a business case has been developed and agreed for a project

to replace the application which supports the notification process.

Electronic documents and records management

Good progress has been made with the implementation of our new record management system. It is anticipated that this project will be completed in the next financial year.

Internal compliance

During the year we started a project to ensure that adequate internal controls were in place to manage information risks. This work has included identifying information asset owners, reviewing policies and procedures and guidance issued to staff, reviewing and testing technical controls, auditing third party data processors and holding a security awareness week.

Governance

7. Governance

The Information Commissioner reports directly to Parliament. As Accounting Officer he is directly responsible for safeguarding the public funds for which he has charge, for propriety and regularity in the handling of these public funds, and for the day-to-day operations and management of

his office.

The Commissioner is supported by his Management Board which is responsible for developing strategy, monitoring progress in implementing strategy, and providing corporate governance and assurance for the ICO.

The board meets quarterly and is made up of members of the Executive Team and four Non-Executive directors:

Dr Robert Chilton David Clarke

Sir Alistair Graham Clare Tickell

The Executive Team provides leadership and oversight of the ICO and has overall responsibility for developing and delivering against the ICO's corporate and business plans.

The Executive Team meets monthly for business meetings. In addition to the Commissioner its members are:

Vicky Best Director of Human

Resources

Simon Entwisle Chief Operating

Officer

Susan Fox Director of

Communications and

External Relations David Smith Deputy

Commissioner Data

Protection

Graham Smith Deputy

Commissioner Freedom of Information

The Commissioner is also supported by the Audit Committee which provides scrutiny, oversight and assurance of risk control and governance procedures. The Committee members are:

Dr Robert Chilton - Chair David Clarke

Graham Smith

Information requests to the ICO

8. Information requests  to the ICO

Requests for information received by the Information Commissioner's Office under the Freedom of Information

Act (2000) and Data Protection

Act (1998)

The Information Commissioner's Office is a public authority for the purposes of the Freedom of Information Act (2000) and a data controller for the purposes of the Data Protection Act (1998).

This year the Internal Compliance Team has expanded in line with the increased number of requests for information which are being received.

In October 2008 we started to administer requests for information on our electronic case management system which has resulted in our ability to produce more detailed statistics than previously. More detailed information can be found on our website.

In the period 1 April 2008 to 31 March 2009 we answered 513

requests for information of which over 77% resulted in either the requested information being fully provided or partially provided.

Received requests since 2005

Received in 2005/06 232 Received in2006/07 297 Received in2007/08 232 Received in2008/09 526

Outcomes for the 513 cases closed during 2008/09

• Information provided
  • Information partially provided
    • Information not held
      • Information witheld

Financial statements

Information Commissioner

9. Financial statements

for the year ended 31 March 2009

1. Foreword 56
2. Remuneration report 60
3. Statement of the Information Commissioner's responsibilities 64
4. Statement on internal control 65
5. Certificate and report of the

Comptroller and Auditor General

to the Houses of Parliament 68

6. Income and expenditure account 70
7. Balance sheet 71
8. Cashflow statement 72
9. Notes to the accounts 73

1. Foreword

History

The Data Protection Act (1984) created a corporation sole in the name of Data Protection Registrar. The name was changed to Data Protection Commissioner on implementation of the Data Protection Act (1998) and again to Information Commissioner on implementation of the Freedom

of Information Act (2000).

Statutory background

The Information Commissioner is an independent non-departmental public body sponsored by the Ministry of Justice, but reports directly to Parliament.

The Information Commissioner's main responsibilities and duties are contained within the Data Protection Act (1998), Freedom of Information Act (2000), Environmental Information Regulations (2004)

and Privacy and Electronic Communications Regulations (2003).

The Information Commissioner's decisions are subject to appeal to the Information Tribunal and on points of law to the courts.

The Information Commissioner is responsible for setting the priorities of his office (ICO), for deciding how they should be achieved, and is required annually to lay before each House of Parliament a general report on performance.

Annual accounts and audit

The annual accounts have been prepared in a form directed by the Secretary of State for Justice with the consent of HM Treasury in accordance

with paragraph (10)(1)(b) of schedule 5 to the Data Protection Act (1998).

Under paragraph (10)(2) of schedule 5 to the Data Protection Act (1998) the Comptroller and Auditor General is appointed auditor to the Information Commissioner. The cost of audit services in the year was £29,500 (2007/08: £24,000) which includes fees of £3,500 for the audit of the shadow International Financial Reporting Standard (IFRS) re-stated balance sheet as at 31 March 2008. No other assurance or advisory services were provided.

So far as the Accounting Officer

is aware, there is no relevant audit information of which the Comptroller and Auditor General is unaware, and the Accounting Officer has taken all the steps that he ought to have taken

to make himself aware of relevant audit information and to establish that the Comptroller and Auditor General is aware of that information.

Staff issues

The ICO has a policy of cooperation and consultation with recognised trade unions over matters affecting staff. The Director of Human Resources meets regularly with the trade union side to exchange information on issues of current interest. Formal negotiations are held on pay awards and a range of other issues are discussed on a more informal basis. Staff involvement is actively encouraged as part of the day-to-day process of line management and information on current and prospective developments is widely disseminated.

Diversity

The ICO is committed to promoting equality and diversity in all that it does. The ICO wants to eliminate barriers that prevent people accessing its services or enjoying employment opportunities within the ICO.

The ICO values diversity and the benefits it can bring to the organisation and is committed to proactively making sure there are no restrictions to building and developing a diverse workforce. The ICO is committed to developing its staff

and to fair and inclusive employment practices.

The ICO has put in place an Equality and Diversity Committee chaired by the Director of Human Resources

to develop, implement and measure progress of strategy and Equal Opportunity Policies. Our Disability Equality Scheme was developed through consultation with staff, and was amended substantially from the draft version as a result.

Sustainability

The ICO has assembled a Green Group', which is a team of influential, environmentally-minded ICO employees, who meet regularly to discuss new ideas and practices which the ICO could adopt to lower the organisation's impact upon the environment. It reviews suggestions from other members of staff, and has the power to ask departments to implement its policies. It can also refer ideas to the Executive Team for approval or support.

Work undertaken in the year by The Carbon Trust estimated the carbon footprint of the office to be 513.3 tonnes, of which 79% was from the consumption of gas and electricity, and the balance mostly from staff rail and air travel.

During the year there have been a number of recycling and energy- saving initiatives and stationery products from recycled materials are now routinely sourced.

Management commentary

A detailed review of activities and performance for the year is set out in the published Annual Report, and future plans are set out in the Corporate Plan 2009-12.

Financial performance

Grant-in-aid

Freedom of information expenditure continued to be funded by a grant-in- aid from the Ministry of Justice, and for 2008/09 £5,500K (2007/08: £5,050K) was drawn down.

Under the conditions of the agreed framework document between the Information Commissioner and the Ministry of Justice up to 2% of the annual grant-in-aid can, with the prior consent of the Ministry of Justice, be carried forward to the following financial year. No grant-in-aid was carried forward to 2009/10

(2008/09: £nil).

There are no fees collected in respect of freedom of information activities.

Fees

Expenditure on data protection activities is financed through the retention of the fees collected from data controllers who notify their processing of personal data under the Data Protection Act (1998).

The annual notification fee is £35, and remains unchanged from its introduction on 1 March 2000.

Fees collected in the year totalled £11,312K (2007/08: £10,818K) representing a 4.6% increase over

the previous year. This information is provided for fees and charge purposes, rather than compliance with Standard Statement of Accounting Practice 25 (SSAP 25).

Under the conditions of the framework document agreed between the Information Commissioner and the Ministry of Justice, fees cleared' through the banking system (in other words available to spend), up to an amount of 3% of the total fees collected, can be carried forward for expenditure in the following financial year. At the end of the year an amount of £156K (1.4%) was carried forward (2007/08: £236 (2.2%) as was a further £137K (2007/08: £144K)

of cash in transit.

Accruals outturn

There was a retained deficit for the year of £5.785 million.

This result is largely brought about due to the required accounting policy for grant-in-aid which resulted in £5.5 million of grant-in-aid received in the year being taken to the Income and expenditure reserve rather than the

Income and expenditure account. In addition, accruals of both Income and expenditure have contributed to the year end position, whilst on a cash basis the ICO met the cash controls placed upon it.

The accounts continue to be prepared on a going concern basis as a non- trading entity continuing to provide public sector services. Grant-in-aid has already been included in the Ministry of Justice estimate for 2009/10, which has been approved by Parliament, and there is no reason to believe that future sponsorship and future parliamentary approval will not be forthcoming.

HM Treasury management

Under the terms of the agreed framework document between the Information Commissioner and the Ministry of Justice, the Commissioner is unable to borrow or invest funds speculatively.

Fee income is collected and banked into a separate bank account, and cleared' funds are transferred weekly to the Information Commissioner's administration account to fund expenditure.

In accordance with HM Treasury guidance on the issue of grant-in-aid that precludes non-departmental public bodies from retaining more funds that are required for their immediate needs, grant-in-aid is drawn in quarterly tranches. In order not to benefit from holding surplus funds, all bank interest and sundry receipts received are paid to the Secretary of State for Justice on a quarterly basis.

Payment of suppliers

The Information Commissioner has adopted a policy on prompt payment of invoices which complies with the Better Payment Practice Code' as recommended by government. In the year ended 31 March 2009 98.58%

(31 March 2008: 98.55%) of invoices were paid within 30 days of receipt or in the case of disputed invoices, within 30 days of the settlement of the dispute. The target percentage

was 95%.

In October 2008, government made a commitment to speed up the public sector payment process. Public sector organisations should aim to pay suppliers wherever possible within ten days, and to this end the Information Commissioner pays all approved invoices on a weekly cycle.

Personal data related incidents

There were no personal data related incidents reportable to the Information Commissioner in 2008/09 or in any previous financial years.

Future developments and post balance sheet events

The Ministry of Justice is considering changes to the notification fee regulations to introduce a tiered notification fee structure, which would also provide the opportunity to increase the financial resources available to the Information Commissioner for data protection work.

Amendments to the Data Protection Act (1998) to strengthen the Information Commissioner's inspection powers are included as part of the Coroners and Justice Bill, currently before Parliament.

Christopher Graham will succeed Richard Thomas, as Information Commissioner on 29 June 2009.

Richard Thomas Information Commissioner

15 June 2009

2. Remuneration report

Remuneration policy

Schedule 5 to the Data Protection Act (1998) provides that the salary of the Information Commissioner is to be specified by a resolution of the House of Commons.

On 24 November 2008, the House of Commons resolved, that in respect of service after 30 November 2007 (the start of the Commissioner's second term of office), the salary of the Information Commissioner shall be at a yearly rate of £140,000.

The salary of the Information Commissioner is paid directly from the consolidated fund in accordance with the schedule.

The remuneration of staff and other officers is determined by the Information Commissioner with the approval of the Secretary of State for Justice.

In reaching the determination, the Information Commissioner and Secretary of State for Justice have regard to the following considerations:

• the need to recruit, retain and motivate suitably able and qualified people to exercise their different responsibilities;

• government policies for improving the public services;

• the funds available to the Information Commissioner;

and

• the government's inflation target and HM Treasury pay guidance.

A Remuneration Committee comprising two Non-Executive board members considers, and advises the Management Board on, remuneration policies and practices for all staff.

Sir Alistair Graham and Claire Tickell are the members of the committee.

Service contracts

Unless otherwise stated below, staff appointments are made on merit on the basis of fair and open competition, and are open-ended until the normal retiring age. Early termination, other than for misconduct, would result in the individual receiving compensation as set out in the civil service compensation scheme.

Non-Executive board members are paid an annual salary of £12,000 and are appointed on on-going contracts that can be terminated with two months' notice.

Directorships and other significant interests held by board members which may conflict with their management responsibilities

A Register of Interests is maintained for the Information Commissioner and his Management Board, and is published on the Commissioner's website www.ico.gov.uk

Salary and pension entitlements

The following sections provide details of the remuneration and pension interests of the Information Commissioner and the most senior officials employed by the Information Commissioner.

Remuneration (audited)

2008/09 2007/08 Salary £'000 £'000

Richard Thomas, Information Commissioner 180-185 95-100 In November 2008, the House of Commons resolved

to increase the salary of the Information Commissioner

to £140,000 per annum with effect from 30 November

2007. Therefore the salary reported for 2008/09 includes

back-dated salary arrears from 30 November 2007.

Graham Smith, Deputy Commissioner 75-80 75-80 Simon Entwisle, Chief Operating Officer 75-80 75-80 David Smith, Deputy Commissioner 70-75 65-70

Susan Fox, Director of Communications

and External Relations 50-55 50-55 Victoria Best, Director of Human Resources 50-55 45-50

Salary

Salary' comprises gross salary and any other allowance to the extent that it is subject to UK taxation.

Benefits in kind

None of the above received any benefits in kind during 2008/09.

Pension benefits (audited)

CETV –Cash Equivalent Transfer Value

The Cash Equivalent Transfer Value at 31 March 2008 may be different from the closing figure in last year's accounts. This is due to the Cash Equivalent Transfer Value factors being updated to comply with The Occupational Pension Schemes (Transfer Values) (Amendment) Regulations (2008).

The Cash Equivalent Transfer Value figures are provided by Capita Hart shead, the ICO's Approved Pensions Administration Centre, who have assured the ICO that they have been correctly calculated following guidance provided by the government Actuary's Department.

Partnership pensions

There were no employer contributions for the above executives to partnership pension accounts in the year.

Civil service pensions

Pension benefits are provided through the civil service pension arrangements. From 30 July 2007, employees may

be in one of four defined benefit schemes; either a final salary' scheme (classic, premium or classic plus); or a whole career' scheme (nuvos). These statutory arrangements are unfunded with the cost of benefits met by monies voted by Parliament each year. Pensions payable under classic, premium, classic plus and nuvos are increased annually in line with changes in the Retail Price s Index (RPI). Members joining from October 2002 may opt for either the appropriate defined benefit arrangement or a good quality money purchase' stakeholder pension with a significant employer contribution (partnership pension account).

Employee contributions are set at the rate of 1.5% of pensionable earnings for classic and 3.5% for premium, classic plus and nuvos. Benefits in classic accrue at the rate of 1/80th

of pensionable salary for each year

of service. In addition, a lump sum equivalent to three years' pension is payable on retirement. For premium, benefits accrue at the rate of 1/60th

of final pensionable earnings for each year of service. Unlike classic, there is no automatic lump sum. Classic plus is essentially a hybrid with benefits in respect of service before 1 October 2002 calculated broadly as per classic and benefits for service from October 2002 calculated as in premium. In nuvos a member builds up a pension based on his pensionable earnings during their period of scheme membership. At the end of the scheme year (31 March) the member's earned pension account is credited with 2.3% of their pensionable earnings in that scheme year and the accrued pension is up-rated in line with RPI. In all cases members may opt to give up (commute) pension for lump sum up to the limits set by the Finance Act (2004).

The partnership pension account is a stakeholder pension arrangement. The employer makes a basic contribution of between 3% and 12.5% (depending on the age of the member) into a stakeholder pension product chosen

by the employee from a panel of three providers. The employee does not have to contribute but where they do make contributions, the employer will match these up to a limit of 3% of pensionable salary (in addition to the employer's basic contribution).

Employers also contribute a further 0.8% of pensionable salary to cover the cost of centrally-provided risk benefit cover (death in service and ill health retirement).

The accrued pension quoted is the pension the member is entitled to receive when they reach pension age, or immediately on ceasing to be an active member of the scheme if they are already at or over pension age. Pension age is 60 for members of classic, premium and classic plus and 65 for members of nuvos.

Further details about the civil service pension arrangements can be found at the website www.civilservice-pensions.gov.uk

Cash Equivalent Transfer Values

A Cash Equivalent Transfer Value is the actuarially assessed capitalised value

of the pension scheme benefits

accrued by a member at a particular point in time. The benefits valued are the member's accrued benefits and

any contingent spouse's pension payable from the scheme. A Cash Equivalent Transfer Value is a payment made by a pension scheme or arrangement to secure pension

benefits in another pension scheme arrangement when the member leaves

a scheme and chooses to transfer

the benefits accrued in their former scheme. The pension figures shown relate to the benefits that the

individual has accrued as a consequence of their total

membership of the pension scheme, not just their service in a senior capacity to which disclosure applies.

The figures include the value of any pension benefit in another scheme or arrangement which the individual has transferred to the Civil Service pension arrangements. They also include any additional pension benefit accrued

to the member as a result of their purchasing additional pension benefits at their own cost. Cash Equivalent Transfer Value's are calculated within the guidelines and framework prescribed by the Institute and Faculty of Actuaries and do not take account

of any actual or potential reduction

to benefits resulting from Lifetime Allowance Tax which may be due when pension benefits are drawn.

Real increase in Cash Equivalent Transfer Value

This reflects the increase in Cash Equivalent Transfer Value effectively funded by the employer. It does not include the increase in accrued pension due to inflation, contributions paid by the employee (including the value of any benefits transferred from another pension scheme or arrangement) and uses common market valuation factors for the start and end of the period.

Richard Thomas Information Commissioner 15 June 2009

Statement of the Information Commissioner's responsibilities

3. Statement of the Information Commissioner's responsibilities

Under paragraph 10(1)(b) of schedule 5 to the Data Protection Act (1998) the Secretary of State for Justice has directed the Information Commissioner to prepare for each financial year a statement of accounts in the form and on the basis set out in the accounts direction. The accounts are prepared on an accruals basis and must give a true and fair view of the state of affairs of the Information Commissioner at the year end and of his income and expenditure, recognised gains and losses and cash flows for the financial year.

In preparing the accounts the Information Commissioner is required to comply with the requirements of the Government Financial Reporting Manual and in particular to:

• observe the accounts direction issued by the Secretary of State for Justice with the approval of the HM Treasury, including the relevant accounting and disclosure requirements, and apply suitable accounting policies on a consistent basis;

• make judgements and estimates on a reasonable basis;

• state whether applicable accounting standards as set out in the Government Financial Reporting Manual have been followed, and disclose and explain any material departures in the financial statements

and

• prepare the financial statements on the going concern basis, unless it is inappropriate to presume that the Information Commissioner will continue in operation.

The Accounting Officer of the Ministry of Justice has designated

the Information Commissioner as Accounting Officer for his office.

The responsibilities of an Accounting Officer, including responsibility for the propriety and regularity of the public finances and for keeping of proper records and for safeguarding the Information Commissioner's assets, are set out in the Non-Departmental Public Bodies' Accounting Officer Memorandum, issued by HM Treasury and published in Managing

Public Money.

Statement on internal control

4. Statement on internal control

Scope of responsibility

As Information Commissioner

and Accounting Officer I have responsibility for maintaining a sound system of internal control that supports the achievement of the ICO's policies, aims and objectives, whilst safeguarding the public funds and assets for which I am personally responsible, in accordance with the responsibilities assigned to me in Managing Public Money.

I work directly with my Executive Team and Management Board. The Executive Team has responsibility for developing and delivering against the ICO's corporate and business plans, and for allocating resources and delegating financial and managerial authority as appropriate. The ICO's Management Board develops strategy, monitors progress in implementing strategy and provides corporate governance and assurance. The board receives regular reports on financial and operational performance. It is involved in the management of risk at a strategic level by considering the major factors which could prevent the ICO's strategic aims from being met.

The ICO is funded from both grant-in- aid and from data protection fee income, collected and spent under the direction of the Ministry of Justice.

I am designated as Accounting Officer by the Ministry's Principal Accounting Officer. As such, I advise the Ministry on the discharge of my responsibilities in connection with income and expenditure in accordance with

the terms of an agreed framework document, and by way of quarterly liaison meetings with the Ministry of Justice for which financial and performance reports (amongst others) are provided.

The purpose of the system

of internal control

The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable

and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of ICO policies, aims and objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage

them efficiently, effectively and economically. The system of internal control has been in place in the ICO for the year ended 31 March 2009 and up to the date of approval of the annual report and accounts, and accords with HM Treasury guidance.

Capacity to handle risk

As Accounting Officer I acknowledge my overall responsibility for the effective management of risk in the ICO. There is a Corporate Risk Register which identifies, assesses and sets out mitigating actions for significant risks to the achievement of the ICO's aims. There are also risk registers in place for specific projects.

Statement on internal control

The ICO's Risk Management Policy and The risk and control framework

the register have continually changed The main element of the risk

in light of experience. In particular management strategy is the

during 2008/09 the register has  maintenance of the Corporate Risk

been revised to clarify the difference Register, with risks and mitigating between risk status before mitigation actions reviewed and updated on a

and anticipated risk status after quarterly basis by way of discussion mitigation. Mitigating actions have also with individual risk owners at Executive been assigned owners to ensure clarity Team level, and discussion at Executive of responsibility for and reporting of Team, Management Board, Audit

the actions. These changes have Committee and Operational

improved the management of risk  Management Committee meetings.

by the ICO. Changes to risks and new risks are

identified during discussions on risks at The management and review of these meetings and also in discussion of corporate risks are led at Executive other issues. New risks and changes to Team level, with Executive Team existing risks are also raised by officials. members identified as risk owners,

and quarterly reviews of both the risks Other elements of the strategy include facing the ICO and performance in quarterly reports on financial and meeting mitigating actions. The operational performance to the Corporate Risk Register is also Executive Team and Management Board, considered at the Management Board a comprehensive budgeting process

and at Audit and Operational with an annual budget approved by the Management Committees. The board, and a system of delegation and Corporate Risk Register and the accountability. These demonstrate the underlying Risk Management Policy continuing achievement of efficiencies and procedure are made available  in the work of the ICO, and better ways to all staff via the ICO's intranet. of monitoring efficiencies.

Individual business units also report on performance against their business plans on a quarterly basis, identifying successes and problems, detailing variances against plan and work undertaken during the quarter.

The reports also identify expected variances against plans for the

next quarter.

In addition, internal audit identifies areas of risk and makes recommendations to mitigate these risks. During 2008/09 the ICO has focused on improving on its performance at actioning the recommendations more promptly.

The system of internal control continues to be supported by a Fraud policy and a Whistle-Blowing policy covering confidential reporting of staff concerns.

The ICO acknowledges that its position, as regulator in respect of the Data Protection Act (1998) and the Freedom of Information Act 2000, means that it has to maintain the highest standards in its handling of information. Failure to comply with the legislation the ICO regulates would damage the ICO's reputation and the confidence placed in the ICO by Parliament. To manage this risk, a Security Committee, chaired by the Chief Operating Officer, meets

quarterly to provide security expertise and strategic direction, as well as advice on the adequacy of the ICO's security policy.

It also provides a forum for reviewing any significant security incidents. In light of past high profile losses of personal data, independent reports have been considered

by the Security Committee in respect of the ICO's data handling practices and procedures.

On a practical level the ICO continues to encrypt the hard drives of all laptops, and training on data protection information security is mandatory for all staff.

Review of effectiveness

As Accounting Officer, I have responsibility for reviewing the effectiveness of the

system of internal control. My review of the effectiveness of the system of internal

control is informed by the work of the internal auditors ( Price waterhouseCoopers), Executive Team members who have responsibility for the development and maintenance of the internal control framework, and comments made by the external auditors in their management letter and other reports. I have been advised on the implications of the result of my review of the effectiveness of the system of internal

control by the Management Board and the Audit Committee. Plans are in place to address weaknesses and ensure continuous improvement of the system.

The effectiveness of the system of internal control was maintained and reviewed throughout the year by:

• The Management Board

The board meets on a quarterly basis and considers the Corporate Risk Register and reports detailing financial and operational performance across the ICO, including operational performance in relation to data protection and freedom of information case work and enquiries as well as current and projected data protection fee income.

• The Executive Team

The Executive Team holds monthly business meetings. It is responsible for providing leadership and oversight for the ICO and has overall responsibility for developing and delivering the ICO's corporate and business plans.

• The Audit Committee

The Committee is chaired by a Non-Executive board member and is attended by internal auditors ( Price waterhouseCoopers) and external auditors (the National Audit Office). The Committee reports directly to me, as the Accounting Officer, on the adequacy of audit arrangements and on the implications of assurances provided in respect of risk and control. It considers all audit reports and recommendations and the formal management response.

I am invited to attend Audit Committee meetings and have seen the annual report of the Audit Committee which

is available on the ICO's web site.

The internal auditors have a direct line of communications to me as the Accounting Officer. In addition the internal auditors regularly report to the Audit Committee in accordance with government internal audit standards including their independent opinion on the adequacy and effectiveness of the ICO's system of internal control. The internal auditors also provide an annual statement based on areas they scrutinise during the year.

I am pleased that for 2008/09, the internal auditors established that they could give moderate assurance on the design, adequacy and effectiveness of the system of internal control.

Richard Thomas Information Commissioner 15 June 2009

Certificate and report of the Comptroller and Auditor General

5. The certificate and report of

the Comptroller and Auditor General to the Houses of Parliament

I have audited the financial statements of the Information Commissioner for the year ended 31 March 2009 under the Data Protection Act (1998). These comprise the Income and expenditure account, the balance sheet, the cash flow statement and statement of recognised gains and losses and

the related notes. These financial statements have been prepared under the accounting policies set out within them. I have also audited the information in the Remuneration report that is described in that report as having been audited.

Respective responsibilities of

the Information Commissioner

and Auditor

The Information Commissioner as Accounting Officer is responsible for preparing the Annual Report, which includes the Remuneration report, and the financial statements in accordance with the Data Protection Act (1998) and directions made thereunder by the Secretary of State for Justice with the approval of HM Treasury and for ensuring the regularity of financial transactions. These responsibilities are set out in the Statement of the Information Commissioner's responsibilities.

My responsibility is to audit the financial statements and the part of the Remuneration report to be audited in accordance with relevant legal and regulatory requirements, and with International Standards on Auditing (UK and Ireland).

I report to you my opinion as to whether the financial statements give

a true and fair view and whether the financial statements and the part of

the Remuneration report to be audited have been properly prepared in accordance with the Data Protection Act (1998) and directions made thereunder by the Secretary of State for Justice with the approval of HM Treasury. I report to you whether, in my opinion, the information, which comprises the accounts: foreword and governance sections, included in the Annual Report is consistent with the financial statements. I also report whether in all material respects the expenditure and income have been applied to the purposes intended by Parliament and the financial transactions conform to the

authorities which govern them.

In addition, I report to you if the Information Commissioner has not kept proper accounting records, if I have not received all the information and explanations I require for my audit, or if information specified by HM Treasury regarding remuneration and other transactions is not disclosed.

I review whether the Statement on internal control reflects the Information Commissioner's compliance with HM Treasury's guidance, and I report if it does not.

I am not required to consider whether this statement covers all risks and controls, or form an opinion on the effectiveness of the Information Commissioner's corporate governance

procedures or its risk and control procedures.

I read the other information contained in the Annual Report and consider whether it is consistent with the audited financial

statements. This other information comprises

the Information Commissioner's foreword, Year at a glance, Educating and influencing, Resolving problems, Enforcing, Developing and Improving, Information requests to the ICO, and the unaudited part of the Remuneration report.

I consider the implications for my report if I become aware of any apparent misstatements

or material inconsistencies with the financial statements. My responsibilities do not extend to any other information.

Basis of audit opinions

I conducted my audit in accordance with International Standards on Auditing (UK and Ireland) issued by the Auditing Practices Board. My audit includes examination, on a test basis, of evidence relevant to the amounts, disclosures and regularity of financial transactions included in the financial statements and the part of the Remuneration report to be audited. It also includes an assessment of the significant estimates and judgments made by the Information Commissioner in the preparation of the financial statements, and of whether the accounting policies are most appropriate to the Information Commissioner's circumstances, consistently applied and adequately disclosed.

I planned and performed my audit so as to obtain all the information and explanations which I considered necessary in order to provide me with sufficient evidence to give reasonable assurance that the financial statements and the part of the Remuneration report to be audited are free from material misstatement, whether caused by fraud or error, and that in all material respects the expenditure and income have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them. In forming my opinion I also evaluated the overall adequacy of the presentation of information in the financial statements and the part of the Remuneration report to be audited.

Opinions

In my opinion:

• the financial statements give a true and

fair view, in accordance with the Data Protection Act (1998) and directions made thereunder by the Secretary of State for Justice with the approval of HM Treasury, of the state of Information Commissioner's affairs as at 31 March 2009 and of its

deficit, recognised gains and losses and

cash flows for the year then ended;

• the financial statements and the part of the Remuneration report to be audited have been properly prepared in accordance with the Data Protection Act (1998) and directions made thereunder by the Secretary of State for Justice with the approval of HM Treasury;

and

• information, which comprises the accounts: foreword and governance sections, included in the Annual Report, is consistent with the financial statements.

Opinion on regularity

In my opinion, in all material respects the expenditure and income have been applied to the purposes intended by Parliament and the financial transactions conform to the authorities which govern them.

Report

I have no observations to make on these financial statements.

Amyas C E Morse

Comptroller and Auditor General National Audit Office

151 Buckingham Palace Road Victoria

London

SW1W 9SS

18 June 2009

Income and expenditure

6. Income and expenditure account for the year ended 31 March 2009

2008/09 2007/08

Note £'000 £'000 £'000 £'000 Income

Operating income 2 11,101 10,593

Other income 3 50 20

11,151 10,613

Expenditure

Staff costs 4 9,218 8,616 Other operating costs 5 7,151 7,088 Depreciation and amortisation of fixed assets 7 468 1,254 Loss on revaluation of fixed assets 72 - Profit on disposal of fixed assets - (2)

16,909 16,956 Operating deficit (5,758) (6,343)

Interest receivable 6 43 63 Notional cost of capital 1.7 103 81

Deficit for the year (5,612) (6,199)

Notional cost of capital 1.7 (103) (81) Surrender of sundry receipts to the Ministry of Justice 6 (70) (83)

Retained deficit for the year (5,785) (6,363) Statement of recognised gains and losses for the year ended 31 March 2009

2008/09 2007/08

Note £'000 £'000 £'000 £'000

Net (loss) on revaluation of fixed assets 12 (73) (116)

All income and expenditure relates to continuing operations. There were no material acquisitions or disposals in the year.

Balance sheet

7. Balance sheet as at 31 March 2009

31 March 2009 31 March 2008 Note £'000 £'000

Fixed assets

Tangible fixed assets 7 2,548 2,105 Intangible fixed assets 7 36 -

Current assets

Debtors and prepayments 8 737 655 Cash at bank and in hand 9 305 391 1,042 1,046

Creditors - amounts falling due within one year 10 (6,566) (6,079)

Net current (liabilities) (5,524) (5,033) Total assets less current liabilities  (2,940) (2,928) Provision for liabilities and charges  11 (8) (32) Net (liabilities) (2,948) (2,960)

Reserves

Income and expenditure reserve 12 (2,948) (3,033) Revaluation reserve 12 - 73

(2,948) (2,960)

Richard Thomas Information Commissioner 15 June 2009

Cashflow statement

8. Cashflow statement for the year ended 31 March 2009

31 March 2009 31 March 2008 Note £'000 £'000

Net cash outflow from operating activities 13 (4,467) (4,917) Return on investment and servicing of finance

Interest received 43 63

Capital expenditure and financial investment

Payment to acquire tangible fixed assets (1,044) (198)

Payment to acquire intangible fixed assets (48) -

Proceeds from the sale of tangible fixed assets - 5

Net cash outflow before financing (1,092) (193) Financing (5,516) (5,047)

Grant-in-aid received 5,500 5,050 Surrender of sundry receipts to the Ministry of Justice (70) (83)

5,430 4,967 Decrease in cash (86) (80)

Notes to the accounts

Notes to the accounts

1 Statement of accounting policies

1. Accounting convention

These accounts have been prepared in accordance with an Accounts Direction issued by the Secretary of State for Justice, with the approval of the HM Treasury, in accordance with paragraph (10)(1)(b) of schedule 5 to the Data Protection Act (1998).

These accounts shall give a true and fair view of the income and expenditure, and cashflows for the financial year, and state of affairs at the year end. The accounts are prepared in accordance with The Government Financial Reporting Manual for 2008/09 and other guidance which HM Treasury has issued in respect of accounts which are required to give a true and fair view, except where agreed otherwise with the Treasury, in which case the exception is described in the notes to the accounts.

These accounts have been prepared under the historical cost convention, as modified by the inclusion of fixed assets at current cost. The accounts meet the accounting disclosure requirements of the Companies Act (1985) and the accounting standards issued or adopted by the Accounting Standards Board to the extent that those requirements are appropriate.

Going concern

The accounts have been prepared on a going concern basis. For non-trading entities in the public sector, the anticipated continuation of the provision of a service in the future, as evidenced by the inclusion of financial provision for that service in published documents is normally sufficient evidence of going concern. The Government Financial Reporting Manual states sponsored entities whose balance sheet show total net liabilities should prepare their financial statements on the going concern basis unless, after discussion with their sponsors, the going concern basis is deemed inappropriate.

2. Grant-in-aid

Grant-in-aid is received from the Ministry of Justice to fund expenditure on freedom of information responsibilities, and is credited to the income and expenditure reserve upon receipt.

3. Fee income

Fee income is received from notifications made under the Data Protection Act (1998), and is retained as operating income.

The notification fee is paid in advance for a period of one year, and a proportion of this income is deferred and released back to the income and expenditure account over the fee period.

4. Fixed assets

Tangible fixed assets

Assets are capitalised as fixed assets if they are intended for use on a continuous basis, and their original purchase cost, on an individual basis, is £2,000 or more, except for laptop and desktop computers procured through the IS Managed Services Agreement which are capitalised even when their individual cost is below £2,000. Fixed assets (excluding assets under construction) are valued at net current replacement cost by using appropriate indices published by national statistics, when the effect of re-valuing assets over time is material.

Intangible fixed assets

Intangible fixed assets are stated at the lower of replacement cost and recoverable amount. Computer software licences and their associated costs are capitalised as intangible fixed assets where expenditure of £2,000 or more is incurred. Software licences are amortised over the shorter of the term of the licence and the economic useful life.

5. Depreciation

Depreciation is provided on all fixed assets on a straight-line basis to write off the cost or valuation evenly over the asset's anticipated life. A full year's depreciation is charged in the year in which an asset is brought into use. No depreciation is charged in the year of disposal.

The principal lives adopted are:

Leasehold improvements: over the remaining life of the property lease. Equipment and furniture: 5 – 10 years.

Information technology: 5 – 10 years.

6. Stock

Stocks of stationery and other consumable stores are not considered material and are written off to the income and expenditure account as they are purchased.

7. Notional charges

Cost of capital

A notional charge reflecting the cost of capital employed in the year is included in the income and expenditure account along with an equivalent reversing notional income to finance the charge. The charge is calculated using HM Treasury's discount rate of 3.5% applied to the mean value of capital employed during the year.

Salary of the Information Commissioner

The salary and pension entitlements of the Information Commissioner are paid directly from the consolidated fund as a standing charge, and are included within staff costs and also as a corresponding credit to the income and expenditure reserve.

Secondments

A notional charge reflecting the benefit of central government secondees, working on freedom of information casework whilst being paid by their home department, has been included within staff costs at the rate the Information Commissioner would have paid such staff had they been employed directly by him, together with a corresponding credit to the income and expenditure reserve.

8. Pension contributions

Pension contributions are charged to the income and expenditure account in the year of payment.

9. Provisions – early departure costs

The additional cost of benefits, beyond the normal Principal Civil Service Pension Scheme benefits in respect of employees who retire early, are provided for in full.

10. Operating leases

Amounts payable under operating leases are charged to the income and expenditure account on a straight-line basis over the lease term, even if these payments are not made on such a basis.

11. Value added tax

The Information Commissioner is not registered for VAT as most activities of the Information Commissioner are outside the scope of VAT and fall below the registration threshold. VAT is charged to the relevant expenditure category, or included in the capitalised purchase cost

of fixed assets.

2 Operating income

Fees collected under the Data Protection Act (1998) 2008/09 2007/08

£'000 £'000

Deferred income at 1 April 2008 5,739 5,514 Fee receipts 11,312 10,818 Deferred income at 31 March 2009 (5,950) (5,739)

11,101 10,593

3 Other income

Other income is paid to the Ministry of Justice 2008/09 2007/08

£'000 £'000

Legal fees recovered 32 10 Travel expenses 18 10 50 20

4 Staff costs

Staff costs were 2008/09 2007/08

£'000 £'000